Quantum cryptography 



Nicolas Gisin, Gregoire Ribordy, Wolfgang Tittel and Hugo Zbinden 
Group of Applied Physics, University of Geneva, 1211 Geneva 4, Switzerland 
(February 1, 2008; submitted to Reviews of Modern Physics) 



Quantum cryptography could well be the first application 
of quantum mechanics at the individual quanta level. The 
veryi fast piugiess in both Lheuiy and expeiimeuLs uvei Llie 



4 Free-space linkg 



C Single-photon detection 



1 Photon counting at wavelengths be- 



rece nt years arc reviewed, with cmphaaia on open questions 



low 1.1 jim 



and 



tcchnologioal iaauca. 



2 Photon counting at telecomniunica- 



tion wavelengths 



Contents 



D Quantum random number generators 



E Quantum repeaters 



introduction 



[V Experimental quantum cryptography 



with Faint laser pulses 



II 



A beautiful idea 



A The intuition 



B Classical cryptography 



A Quantum Bit Error Rate 



B Polarization coding 



C Phase coding 



1 AsynmieLrical (public-key) crypr 



1 The double Mach-Zehnder imple- 



lusysLem! 



mentation 



2 Symmetrical (secret-key) cryptosys- 



tem£ 



D Frequency coding 



3 The one-time-pad as "classical tele- 



portatr 



C The example of the BB84 protocol . 



iple 



2 The "Plug-fc-Play" systems 



E Free space line-of-sight applications 



F Multi-users implementations 



V Experimental quantum cryptography 



2 INo clonmg theoren: 



with photon pairs 



3 Intercept-rescnd strategy 6 



4 Error correction, privacy amplifica- 



tion and quantum secret growing 



5 Advantage distillation 



D Other protocols 



1 2-state protocol 



A Polarization entanglement| 



B Energy-time entanglemen 



1 Phase-codin 



2 6-state protocol 



3 EPR protocol 



4 Other variations 



6 
8 
8 
8 
9 
9 
10 



2 Phase-time coding 



3 Quantum secret sharing 



|E Quantum teleportation as "Quantum 



VI Eavesdropping 

A Problems and Objectivesj 



B Idealized versus real implementation 



C Individual, joint and collective attacks 



D 



iple 



individual attacks: interce 



£1 



one-time-pad" 



10 



F Optical amplihcation, c^iantum non 



resend, measurement in the intermedi- 



ate basis 



demolition measurements and optimal 
quantum cloning] 10 



E Symmetric individual attacks 



III Technological challenges 



K Plioton sources 



12 



TT 



F Connection to Bell inequality 



G Ultimate security proofs 



H Photon number measurements, lossless 



channels 



t f amt laser pulses 17 



2 Photon pairs generated by paramet- 



ric downconversion 



I A realistic beamsplitter attack 



J Multi-photon pulses and passive choice 



3 Photon guns 



of states 



B 



Quantum channels 



14 



I Sniglemode hbers 14 



K Trojan Horse Attacks 



L Real security: technology, cost and 



2 Polarization effects m smglemode 



fibers 



complexity 



15 



3 Chromatic dispersion effects in sin- 



VII Conclusion 



glemode fibers 16 



1 



I. INTRODUCTION 



a way that they can be read independently. 



Electrodynamics was discovered and formalized in the 
19*'' century. The 20*'* century was then profoundly af- 
fected by its applications. A similar adventure is pos- 
sibly happening for quantum mechanics, discovered and 
formalized during the last century. Indeed, although the 
laser and semiconductors are already common, applica- 
tions of the most radical predictions of quantum mechan- 
ics have been thought of only recently and their full power 
remains a fresh gold mine for the physicists and engineers 
of the 21** century. 

The most peculiar characteristics of quantum mechan- 
ics are the existence of indivisible quanta and of entan- 
gled systems. Both of these are at the root of Quantum 
Cryptography (QC) which could very well be the first 
commercial application of quantum physics at the indi- 
vidual quantum level. In addition to quantum mechan- 
ics, the 20*'' century has been marked by two other major 
scientific revolutions: the theory of information and rel- 
ativity. The status of the latter is well recognized. It 
is less known that the concept of information, nowadays 
measured in bits, and the formalization of probabilities is 
quite recentQ although they have a tremendous impact 
on our daily life. It is fascinating to realize that QC lies at 
the intersection of quantum mechanics and information 
theory and that, moreover, the tension between quan- 
tum mechanics and relativity - the famous EPR paradox 
(Einsteinei a/. 1935) - is closely connected to the security 
of QC. Let us add a further point for the young physicists. 
Contrary to laser and semiconductor physics, which are 
manifestations of quantum physics at the ensemble level 
and can thus be described by semi-classical models, QC, 
and even much more quantum computers, require a full 
quantum mechanical description (this may offer interest- 
ing jobs for physicists well trained in the subtleties of 
their science). 

This review article has several objectives. First we 
present the basic intuition behind QC. Indeed the basic 
idea is so beautiful and simple that every physicist and 
every student should be given the pleasure to enjoy it. 
The general principle is the n set in the broader context of 
modern cryp tology (section II B) and made more precise 
(section II C ). Chapter [II discusses the main technologi- 
cal challenges. Then, chapters IV and ^ present the most 
common implementation of QC using weak laser pulses 
and photon pairs, respectively. Finally, the important 
and difficult problems of eavesdropping and of security 
proofs are discussed in chapter VI , where the emphasis is 
more on the variety of questions than on technical issues. 
We tried to write the different parts of this review in such 



II. A BEAUTIFUL IDEA 

The idea of QC was first proposed only in the 1970's 
by Wiesner]^ (1983) and by Charles H. Bennett from 
IBM and Gilles Brassard from Montreal University (1984, 
1985)^. However, this idea is so simple that actually ev- 
ery first year student since the infancy of quantum me- 
chanics could have discovered it! Nevertheless, it is only 
nowadays that the matter is mature and information se- 
curity important enough, and - interestingly - only nowa- 
days that physicists are ready to consider quantum me- 
chanics, not only as a strange theory good for paradoxes, 
but also as a tool for new engineering. Apparently, infor- 
mation theory, classical cryptography, quantum physics 
and quantum optics had first to develop into mature sci- 
ences. It is certainly not a coincidence that QC and, more 
generally, quantum information has been developed by a 
community including many computer scientists and more 
mathematics oriented young physicists. A broader inter- 
est than traditional physics was needed. 



A. The intuition 

Quantum Physics is well-known for being counter- 
intuitive, or even bizarre. We teach students that Quan- 
tum Physics establishes a set of negative rules stating 
things that cannot be done. For example: 

1. Every measurement perturbs the system. 

2. One cannot determine simultaneously the position 
and the momentum of a particle with arbitrary high 
accuracy. 

3. One cannot measure the polarization of a photon in 
the vertical-horizontal basis and simultaneously in 
the diagonal basis. 



^The Russian mathematician A.N. Kolmogorow (1956) is 
credited with being the first to have consistently formulated 
a mathematical theory of probabilities in the 1940's. 



^Stephen Wiesner, then at Columbia University, was the 
first one to propose ideas closely related to QC, already in 
the 1970's. However, his revolutionary paper appeared only a 
decade later. Since it is diflicult to find, let us mention his ab- 
stract: The uncertainty principle imposes restrictions on the 
capacity of certain types of communication channels. This pa- 
per will show that in compensation for this "quantum noise", 
quantum mechanics allows us novel forms of coding without 
analogue in communication channels adequately described by 
classical physics. 

''Artur Ekert (1991) from Oxford University discovered QC 
indep endent ly, though from a different perspective (see para- 
graph flD3|). 



2 



4. One cannot draw pictures of individual quantum 
processes. 

5. One cannot duplicate an unknown quantum state. 

This negative viewpoint on Quantum Physics, due to 
its contrast to classical physics, has only recently been 
turned positive and QC is one of the best illustrations 
of this psychological revolution. Actually, one could car- 
icature Quantum Information Processing as the science 
of turning Quantum conundrums into potentially useful 
applications. 

Let us illustrate this for QC. One of the basic negative 
statement of Quantum Physics reads: 



Every measurement perturbs the system 



(1) 



(except if the quantum state is compatible with the mea- 
surement). The positive side of this axiom can be seen 
when applied to a communication between Alice and 
Bob (the conventional names of the sender and receiver, 
respectively), provided the communication is quantum. 
The latter means that the support of information are 
quantum systems, like, for example, individual photons. 
Indeed, then axiom (|l]) applies also to the eavesdroppers, 
i.e. to a malicious Eve (the conventional name given to 
the adversary in cryptology). Hence, Eve cannot get any 
information about the communication without introduc- 
ing perturbations which would reveal her presence. 

To make this intuition more precise, imagine that Alice 
codes information in individual photons which she sends 
to Bob. If Bob receives the photons unperturbed, then, 
by the basic axiom (|l|), the photons were not measured. 
No measurement implies that Eve did not get any in- 
formation about the photons (note that acquiring infor- 
mation is synonymous to carrying out measurements). 
Consequently, after exchanging the photons, Alice and 
Bob can check whether someone "was listening": they 
simply compare a randomly chosen subset of their data 
using a public channel. If Bob received the randomly 
chosen subset unperturbed then the logic goes as follows: 



No perturbation - 



It is as simple as that! 



No measurement 
No eavesdropping 



(2) 



Actually, there are two more points to add. First, in 
order to ensure that axiom ([^) applies, Alice encodes her 
information in non- ortho gon al sta tes (we shall illustrate 
this in the sections [IC and |lD). Second, as we have 
presented it so far, Alice and Bob could discover any 
eavesdropper, but only after they exchanged their mes- 
sage. It would of course be much better to ensure the 
privacy in advance, and not afterwards! To achieve this, 
Alice and Bob complement the above simple idea with a 
second idea, again a very simple one, and one which is 
entirely classical. Alice and Bob do not use the quantum 



channel to transmit information, but only to transmit a 
random sequence of bits, i.e. a key. Now, if the key is 
unperturbed, then Quantum Physics guarantees that no 
one got any information about this key by eavesdropping 
(i.e. measuring) the quantum communication channel. 
In this case, Alice and Bob can safely use this key to 
encode messages. If, on the contrary, the key turns out 
to be perturbed, then Alice and Bob simply disregard it; 
since the key does not contain any information, they did 
not lose any. 

Let us make this gen eral idea somewhat more pre- 
cise, anticipating section II C . In practice, the individual 
quanta used by Alice and Bob, often called qubits (for 
quantum bits), are encoded in individual photons. For 
example, vertical and horizontal polarization code for bit 
value zero and one, respectively. The second basis, can 
then be the diagonal one (±45° linear polarization), with 
-f 45° for bit 1 and —45° for bit 0, respectively (see Fig. 
|l|). Alternatively, the circular polarization basis could 
be used as second basis. For photons the quantum com- 
munication channel can either be free space (see section 
IV E) or optical fibers - special fibers o r the ones used in 



standard telecommunication - (section |lll B ). The com- 
munication channel is thus not really quantum. What is 
quantum are the information carriers. 

But before continuing, we need to see how QC could 
fit in the existing cryptosystems. For this purpose the 
next section briefly surveys some of the main aspects of 
modern cryptology. 



B. Classical cryptography 

Cryptography is the art of rendering a message un- 
intelligible to any unauthorized party. It is part of the 
broader field of cryptology, which also includes crypto- 
analysis, the art of code breaking (for a historical per- 
spective, see Singh 1999). To achieve this goal, an algo- 
rithm (also called a cryptosystem or cipher) is used to 
combine a message with some additional information - 
known as the "key" - and produce a cryptogram. This 
technique is known as "encryption" . For a cryptosystem 
to be secure, it should be impossible to unlock the cryp- 
togram without the key. In practice, this demand is often 
softened so that the system is just extremely difficult to 
crack. The idea is that the message should remain pro- 
tected at least as long as the information it contains is 
valuable. Although confidentiality is the traditional ap- 
plication of cryptography, it is used nowadays to achieve 
broader objectives, such as authentication, digital signa- 
tures and non-repudiation (Brassard 1988). 



1. Asymmetrical (public-key) cryptosystems 

Cryptosytems come in two main classes - depending on 
whether Alice and Bob use the same key. Asymmetrical 



3 



systems involve the use of different keys for encryption 
and decryption. They are commonly known as public-key 
cryptosystems. Their principle was first proposed in 1976 
by Whitfield Diffie and Martin Hellman, who were then 
at Stanford University in the US. The first actual im- 
plementation was then developed by Ronald Rivest, Adi 
Shamir, and Leonard Adleman of the Massachusetts In- 
stitute of Technology in 1978^. It is known as RSA and is 
still widely used. If Bob wants to be able to receive mes- 
sages encrypted with a public key cryptosystem, he must 
first choose a "private" key, which he keeps secret. Then, 
he computes from this private key a "public" key, which 
he discloses to any interested party. Alice uses this public 
key to encrypt her message. She transmits the encrypted 
message to Bob, who decrypts it with the private key. 
Public-key cryptosystems are convenient and they have 
thus become very popular over the last 20 years. The 
security of the internet, for example, is partially based 
on such systems. They can be thought of as a mailbox, 
where anybody can insert a letter. Only the legitimate 
owner can then recover it, by opening it with his private 
key. 

The security of public key cryptosystems is based on 
computational complexity. The idea is to use mathemat- 
ical objects called one-way functions. By definition, it 
is easy to compute the function f{x) given the variable 
X, but difhcult to reverse the calculation and compute x 
from f{x). In the context of computational complexity, 
the word "difficult" means that the time to do a task 
grows exponentially with the number of bits in the in- 
put, while "easy" means that it grows polynomially. In- 
tuitively, it is easy to understand that it only takes a few 
seconds to work out 67 x 71, but it takes much longer 
to find the prime factors of 4757. However, factoring has 
a "trapdoor" , which means that it is easy to do the cal- 
culation in the difficult direction provided that you have 
some additional information. For example, if you were 
told that 67 was one of the prime factors of 4757, the 
calculation would be relatively simple. The security of 
RSA is actually based on the factorization of large inte- 
gers. 

In spite of its elegance suffers from a major flaw. 
Whether factoring is "difficult" or not could never be 
proven. This implies that the existence of a fast algo- 
rithm for factorization cannot be ruled out. In addi- 
tion, the discovery in 1994 by Peter Shor of a polynomial 
algorithm allowing fast factorization of integers with a 
quantum computer puts additional doubts on the non- 
existence of a polynomial algorithm for classical comput- 



* According to the British Government, public key cryptog- 
raphy was originally invented at the Government Communica- 
tions Headquarters in Cheltenham as early as in 1973. For an 
historical account, see for example the book by Simon Singh 
(1999). 



ers. 

Similarly, all public-key cryptosystems rely on un- 
proven assumptions for their security, which could them- 
selves be weakened or suppressed by theoretical or prac- 
tical advances. So far, no one has proved the existence of 
any one-way function with a trapdoor. In other words, 
the existence of secure asymmetric cryptosystems is not 
proven. This casts an intolerable threat on these cryp- 
tosystems. 

In a society where information and secure communi- 
cation is of utmost importance, as in ours, one cannot 
tolerate such a threat. Think, for instance, that an 
overnight breakthrough in mathematics could make elec- 
tronic money instantaneously worthless. To limit such 
economical and social risks, there is no possibility but 
to turn to symmetrical cryptosystems. QC has a role to 
play in such alternative systems. 

2. Symmetrical (secret-key) cryptosystems 

Symmetrical ciphers require the use of a single key for 
both encryption and decryption. These systems can be 
thought of as a safe, where the message is locked by Al- 
ice with a key. Bob in turns uses a copy of this key to 
unlock the safe. The "one-time pad", first proposed by 
Gilbert Vernam of AT&T in 1926, belongs to this cate- 
gory. In this scheme, Alice encrypts her message, a string 
of bits denoted by the binary number mi, using a ran- 
domly generated key k. She simply adds each bit of the 
message with the corresponding bit of the key to obtain 
the scrambled text (s = mi © fc, where ® denotes the 
binary addition modulo 2 without carry). It is then sent 
to Bob, who decrypts the message by subtracting the key 
(s0fc = mi®/c0fc = mi). Because the bits of the scram- 
bled text are as random as those of the key, they do not 
contain any information. This cryptosystem is thus prov- 
ably secure in the sense of information theory (Shannon 
1949). Actually, this is today the only provably secure 
cryptosystem! 

Although perfectly secure, the problem with this sys- 
tem is that it is essential for Alice and Bob to possess a 
common secret key, which must be at least as long as the 
message itself. They can only use the key for a single en- 
cryption - hence the name "one-time pad" . If they used 
the key more than once. Eve could record all of the scram- 
bled messages and start to build up a picture of the plain 
texts and thus also of the key. (If Eve recorded two differ- 
ent messages encrypted with the same key, she could add 
the scrambled text to obtain the sum of the plain texts: 
siS)S2 = miS)k®m2®k = mi(Bm2(Bk(Bk = mi0m2, 
where we used the fact that ® is commutative.) Fur- 
thermore, the key has to be transmitted by some trusted 
means, such as a courier, or through a personal meeting 
between Alice and Bob. This procedure can be complex 
and expensive, and may even amount to a loophole in 
the system. 



4 



Because of the problem of distributing long sequences 
of key bits, the one-time pad is currently used only for the 
most critical applications. The symmetrical cryptosys- 
tems in use for routine applications such as e-commerce 
employ rather short keys. In the case of the Data En- 
cryption Standard (also known as DES, promoted by the 
United States' National Institute of Standards and Tech- 
nology), a 56 bits key is combined with the plain text 
divided in blocks in a rather complicated way, involving 
permutations and non-linear functions to produce the ci- 
pher text blocks (see Stallings 1999 for a didactic pre- 
sentation). Other cryptosystems (e.g. IDEA or AES) 
follow similar principles. Like asymmetrical cryptosys- 
tems, they offer only computational security. However 
for a given key length, symmetrical systems are more se- 
cure than their asymmetrical counterparts. 

In practical implementations, asymmetrical algorithms 
are not so much used for encryption, because of their 
slowness, but to distribute session keys for symmetrical 
cryptosystems such as DES. Because the security of those 
algorithms is not proven (see paragraph II B 1), the secu- 



rity of the whole implementation can be compromised. If 
they were broken by mathematical advances, QC would 
constitute the only way to solve the key distribution 
problem. 



3. The one-time-pad as "classical teleportation" 

The one-time-pad has an interesting characteristic. 
Assume that Alice aims at transferring to Bob a faithful 
copy of a classical system, without giving any informa- 
tion to Eve about this system. For this purpose Alice 
and Bob have only access to an insecure classical chan- 
nel. This is possible provided they share an arbitrary 
long secret key. Indeed, in principle Alice can measure 
the state of her classical system with arbitrary high pre- 
cision and then use the one-time-pad to securely commu- 
nicate this information to Bob who can then, in principle, 
reconstruct (a copy of) the classical system. This some- 
what artificial use of the one-ti me-p ad has an interesting 
quantum relative, (see section [IE). 



C. The example of the BB84 protocol 

1. Principle 

The first protocol for QC has been proposed in 1984 
by Charles H. Bennett, from IBM New- York, and Gilles 
Brassard, from the University of Montreal, hence the 
name BB84 under which this protocol is recognized nowa- 
days. They published their work in a conference in In- 
dia, totally unknown to physicists. This underlines at 
once that QC needs the collaboration between different 
communities, with different jargons and different habits 



and conventions^. The interdisciplinary character of QC 
is the probable reason for its relatively slow start, but 
it certainly contributes crucially to the vast and fast ex- 
pansion over the recent years. 

We shall explain the BB84 protocol using the language 
of spin i , but clearly any 2-level quantum system would 
do. The protocol uses 4 quantum states that constitute 
2 bases, think of the states up | t), down | |), left | 
and right | ^). The bases are maximally conjugate in 
the sense that any pair of vectors, one from each basis, 
has the same overlap, e.g. |(t | = 5. Convention- 

ally, one attributes the binary value to states | t) and 
I ^) and the value 1 to the other two states, and calls 
the states qubits (for quantum bits). In the first step, 
Alice sends individual spins to Bob in states chosen at 
random among the 4 basic states (in Fig. ^ the spin 
states I I), I I), I —^) and | ) are identified with the 
polarization states "horizontal" , "verical" , "-|-45°" and 
"-45°", respectively). How she "chooses at ran dom" is 
a delicate problem in practice (see section HI DD , but in 
principle she could use her free will. The individual spins 
could be sent all at once, or one after the other (much 
more practical) ; the only restriction being that Alice and 
Bob can establish a one-to-one correspondence between 
the transmitted and the received spins. Next, Bob mea- 
sures the incoming spins in one of the two bases, chosen 
at random (using a random number generator indepen- 
dent from that of Alice). At this point, whenever they 
used the same basis, they get perfectly correlated results. 
However, whenever they used different basis, they get 
uncorrelated results. Hence, on average. Bob obtains a 
string of bits with 25% errors, called the raw key. This er- 
ror rate is so large that standard error correction schemes 
would fail. But in this protocol, as we shall see, Alice and 
Bob know which bits are perfectly correlated (the ones for 
which Alice and Bob used the same basis) and which ones 
are completely uncorrelated (all the other ones). Hence, 
a straightforward error correction scheme is possible: For 
each bit Bob announces publicly in which basis he mea- 
sured the corresponding qubit (but he does not tell the 
result he obtained). Alice then only tells whether or not 
the state in which she encoded that qubit is compatible 
with the basis announced by Bob. If the state is com- 
patible, they keep the bit, if not they disregard it. In 
this way about 50% of the bit string is discarded. This 
shorter key obtained after bases reconciliation is called 
the sifted ke]^. The fact that Alice and Bob use a public 
channel at some stage of their protocol is very common 



^For instance, it is amusing to note that physicists must 
publish in reputed journals while conference proceedings are 
of secondary importance. For computer science, on the con- 
trary, the proceedings of the best conferences are considered 
as the top, while journals are secondary! 

^This terminology has been introduced by Ekert and Hut- 
tner in 1994. 



5 



in crypto-protocols. This channel does not have to be 
confidential, but has to be authentic. Hence, any ad- 
versary Eve can listen to all the communication on the 
public channel, but she can't modify it. In practice Al- 
ice and Bob may use the same transmission channel to 
implement both the quantum and the classical channels. 

Note that neither Alice nor Bob can decide which key 
results from the protocol^. Indeed, it is the conjunction 
of both of their random choices which produces the key. 

Let us now consider the security of the above ideal 
protocol (ideal because so far we did not take into ac- 
count unavoidable noise due to technical imperfections). 
Assume that some adversary Eve intercepts a qubit prop- 
agating from Alice to Bob. This is very easy, but if Bob 
does not receive an expected qubit, he will simply inform 
Alice to disregard it. Hence, in this way Eve only lowers 
the bit rate (possibly down to zero), but she does not 
gain any useful information. For real eavesdropping Eve 
must send a qubit to Bob. Ideally she would like to send 
this qubit in its original state, keeping a copy for herself. 



2. No cloning theorem 

Following Wootters and Zurek (1982) it is easy to prove 
that perfect copying is impossible in the quantum world 
(see also Milonni and Hardies 1982, Dieks 1982, and the 
anticipating intuition by Wigner in 1961). Let V' denote 
the original state of the qubit, \h) the blank copj^ and 
denote |0) G Ti-qcM the initial state of Eve's "quantum 
copy machine" , where the Hilbert space TiqcM of the 
quantum cloning machine is arbitrary. The ideal machine 
would produce: 



ij (E) \b) (g) \0) ^ iP (g) ij (g) 1/^) 



(3) 



where |/^) denotes the final state of Eve's machine which 
might depend on ip. Accordingly, using obvious nota- 
tions, 

|T,6,0)^|T,T,/t) (4) 
and 11,6,0) ^U,i,/4). (5) 

By linearity of quantum dynamics it follows that 

1^,5,0) = -L(|t) + U))®|6,0) (6) 

^-^(|t,T,/T> + U>i,/i))- (7) 



But the latter state differs from the ideal copy | ^ 
, /^), whatever the states |/^) are. 

Consequently, Eve can't keep a perfect quantum copy, 
because perfect quantum copy machines can't exist. The 
possibility to copy classical information is probably one 
of the most characteristic features of information in the 
every day sense. The fact that quantum states, nowadays 
often called quantum information, can't be copied is cer- 
tainly one of the most specific attributes which make this 
new kind of information so different, hence so attractive. 
Actually, this "negative rule" has clearly its positive side, 
since it prevents Eve from perfect eavesdropping, and 
hence makes QC potentially secure. 



3. Intercept-res end strategy 

We have seen that the eavesdropper needs to send a 
qubit to Bob, while keeping a necessarily imperfect copy 
for herself. How imperfect the copy has to be, accord- 
ing to quantum theory, is a delicate problem that we 

Here, let us develop a sim- 



shall address in chapter VI 



pie eavesdropping strategy, called intercept-resend. This 
simple and even practical attack consists in Eve measur- 
ing each qubit in one of the two basis, precisely as Bob 
does. Then, she resends to Bob another qubit in the 
state corresponding to her measurement result. In about 
half of the cases Eve will be lucky and choose the basis 
compatible with the state prepared by Alice. In these 
cases she resends to Bob a qubit in the correct state and 
Alice and Bob won't notice her intervention. However, in 
the other 50% cases. Eve unluckily uses the basis incom- 
patible with the state prepared by Alice. This necessarily 
happens, since Eve has no information on Alice's random 
generator (hence the importance that this generator is 
truly random). In these cases the qubits sent out by Eve 
are in states with overlap \ with the correct states. Al- 
ice and Bob discover thus her intervention in about half 
of these cases, since they get uncorrelated results. Alto- 
gether, if Eve uses this intercept-resend strategy, she gets 
50% information, while Alice and Bob have about 25% 
of errors in their sifted key, i.e. after they eliminated the 
cases in which they used incompatible states, there are 
still about 25% errors. They can thus easily detect the 
presence of Eve. If, however, Eve applies this strategy to 
only a fraction of the communication, 10% let's say, then 
the error rate will be only w2.5% while Eve's information 
would be ~5%. The next section explains how Alice and 
Bob can counter such attacks. 



'^Alice and Bob can however determine the statistics of the 
key. 

corresponds to the stock of white paper in everyday 's 
photocopy machine. We shall assume that exceptionally this 
stock is not empty, a purely theoretical assumption, as is well 
known. 



4-. Error correction, privacy amplification and quantum 
secret growing 

At this point in the BB84 protocol, Alice and Bob 
share a so-called sifted key. But this key contains errors. 
The errors are caused as well by technical imperfections, 



6 



as possibly by Eve's intervention. Realistic error rates 
on the sifted key using today's technology are of a few 
percent. This contrasts strongly with the 10~^ typical in 
optical communication. Of course, the few percent errors 
will be corrected down to the standard 10^^ during the 
(classical) error correction step of the protocol. In order 
to avoid confusion, especially among the optical commu- 
nication specialists. Beat Perny from Swisscom and Paul 
Townsend, then with BT, proposed to name the error 
rate on the sifted key QBER, for Quantum Bit Error 
Rate, to make it clearly distinct from the BER used in 
standard communications. 

Such a situation where the legitimate partners share 
classical information, with high but not 100% correla- 
tion and with possibly some correlation to a third party 
is common to all quantum cryptosystems. Actually, it 
is also a standard starting point for classical information 
based cryptosystems where one assumes that somehow 
Alice, Bob and Eve have random variables a, [3 and e, re- 
spectively, with joint probability distribution P{a,(3,e). 
Consequently, the last step in a QC protocol uses classi- 
cal algorithms, first to correct the errors, next to lower 
Eve's information on the final key, a process called ■pri- 
vacy amplification. 

The first mention of privacy amplification appears in 
Bennett, Brassard and Robert (1988). It was then ex- 
tended in collaboration with C. Crepeau and U. Maurer 
from the University of Montreal and the ETH Ziirich, re- 
spectively (Bennett et al. 1995, see also Bennett ct al. 
1992a). Interestingly, this work motivated by QC found 
applications in standard information-based cryptography 
(Maurer 1993, Maurer and Wolf 1999). 

Assume that such a joint probability distribution 
P(a,/3,e) exists. Near the end of this section, we com- 
ment on this assumption. Alice and Bob have access only 
to the marginal distribution P{a, (3). From this and from 
the laws of quantum mechanics, they have to deduce con- 
straints on the complete scenario P{a^ (3, e), in parti cular 
they have to bound Eve's information (see sections VIE 
and lVIGl) . Given P(a,/3,e), necessary and sufficient con- 
ditions for a positive secret key rate between Alice and 
Bob, S{a,f3\\e), are not yet known. However, a useful 
lower bound is given by the difference between Alice and 
Bob's mutual Shannon information /(a, (3) and Eve's mu- 
tual information (Csiszar and Korner 1978, and theorem 
1 in section VI G ) : 



S{a,l3\\e) > max{/(a,/3) -/(a,e),/(a,/3) -/(/3,e)} 

(8) 

Intuitively, this result states that secure key distillation 
(Bennett et al. 1992a) is possible whenever Bob has more 
information than Eve. 

The bound (H) is tight if Alice and Bob are restricted 
to one-way communication, but for two-way communica- 
tion, secret key agreement might be p ossible even when 
(^ is not satisfied (see next paragraph 11 C Sf ). 



Without discussing any algorithm in detail, let us give 
some intuition how Alice and Bob can establish a se- 
cret key when condition (||) is satisfied. First, once the 
sifted key is obtained (i.e. after the bases have been an- 
nounced), Alice and Bob publicly compare a randomly 
chosen subset of it. In this way they estimate the error 
rate (more generally, they estimate their marginal prob- 
ability distribution P{a,(3)). These publicly disclosed 
bits are then discarded. Next, either condition (^ is not 
satisfied and they stop the protocol. Or condition (H) 
is satisfied and they use some standard error correction 
protocol to get a shorter key without errors. 

With the simplest error correction protocol, Alice ran- 
domly chooses pairs of bits and announces their XOR 
value (i.e. their sum modulo 2). Bob replies either "ac- 
cept" if he has the same XOR value for his corresponding 
bits, or "reject" if not. In the first case, Alice and Bob 
keep the first bit of the pair and eliminate the second one, 
while in the second case they eliminate both bits. In re- 
ality, more complex and efficient algorithms are used. 

After error correction, Alice and Bob have identical 
copies of a key, but Eve may still have some information 
about it (compatible with condition (^)). Alice and Bob 
thus need to lower Eve's information down to an arbitrar- 
ily low value using some privacy amplification protocols. 
These classical protocols typically work as follows. Alice 
again randomly choses pairs of bits and computes their 
XOR value. But, contrary to error correction she does 
not announce this XOR value. She only announces which 
bits she chose (e.g. bit number 103 and 537). Alice and 
Bob then replace the two bits by their XOR value. In 
this way they shorten their key while keeping it error 
free, but if Eve has only partial information on the two 
bits, her information on the XOR value is even lower. 
Consider for example that Eve knows only the value of 
the first bit, and nothing about the second one. Then 
she has no information at all on the XOR value. Also, if 
Eve knows the value of both bits with 60% probability, 
then the probability that she guesses correctly the value 
of the XOR is only of 0.6^ + 0.4^ = 52%. This process 
would have to be repeated several times; more efficient 
algorithms use larger blocks (Brassard and Salvail 1993). 

The error correction and privacy amplification algo- 
rithms sketched above are purely classical algorithms. 
This illustrates that QC is a truly interdisciplinary field. 

Actually, the above presentation is incomplete. Indeed, 
in this presentation, we have assumed that Eve has mea- 
sured her probe before Alice and Bob run the error cor- 
rection and privacy amplification algorithms, hence that 
P{a, (3, e) exists. In practice this is a very reasonable 
assumption, but, in principle. Eve could wait until the 
end of all the protocol, and then optimize her measure- 
ments accordingly. Such "delayed choice eavesdropping 



7 



strategiesQ' are discussed in chapter Vl. 

It should now be clear that QC does not provide a 
complete solution for all cryptographic purposes^. Ac- 
tually, quite on the contrary, QC can only be used as 
a complement to standard symmetrical cryptosystems. 
Accordingly, a more precise name for QC is Quantum 
Key Distribution, since this is all QC does. Nevertheless, 
we prefer to keep the well known terminology which gives 
its title to this review. 

Finally, let us emphasize that every key distribution 
system must incorporate some authentification scheme: 
the two parties must identify themselves. If not, Alice 
could actually be communicating directly with Eve! A 
straightforward possibility is that Alice and Bob initially 
share a short secret. Then QC provides them with a 
longer one and, for example, they each keep a small por- 
tion for authentification at the next session (Bennett et 
al. 1992a). From this perspective, QC is a Quantum 
Secret Growing protocol. 



tion to keep, whereas Eve can't influence this process]^ 
(Maurer 1993, Maurer and Wolf 1999). 

Recently a second remarkable connection between 
quantum and classical secret key agreement has been dis- 
covered (ass uming they use the Ekert protocol described 
in paragraph IIP 3 ) : If Eve follows the strategy which op- 
timizes her Shannon information, under the assumption 
that she attacks the qubit on e at a time (the so-called 
individual attacks, see section VIE), then Alice and Bob 
can use advantage distillation if and only if Alice and 
Bob's qubits are still entangled (they can thus use quan- 
tum privacy amplification (Deutsch et al. 1996)) (Gisin 
and Wolf 1999). This connection between the concept 
of entanglement, central to quantum information theory, 
and the concept of intrinsic classical information, cen- 
tral to classical information based cryptography (Maurer 
and Wolf 1999), has been shown to be general (Gisin 
and Wolf 2000). The connection seems even to extend to 
hound entanglement (Gisin et al. 2000). 



5. Advantage distillation 



D. Other protocols 



QC has triggered and still triggers research in classical 
information theory. The best known example is proba- 
bly the development of privacy amplification algorithms 
(Bennett et al. 1988 and 1995). This in turn triggered 
the development of new cryptosystems based on weak but 
classical signals, emitted for instance by satellites (Mau- 
rer 1993)Fj. These new developments required secret key 
agreement protocols that can be used even when the con- 
dition (H) doesn't apply. Such protocols, called advantage 
distillation, necessarily use two way communication and 
are much less efficient than privacy amplification. Usu- 
ally, they are not considered in the literature on QC. 
But, conceptually, they are remarkable from at least two 
points of view. First it is somewhat surprising that se- 
cret key agreement is possible even if Alice and Bob start 
with less mutual (Shannon) information than Eve. How- 
ever, they can take advantage of the authenticated public 
channel: Alice and Bob can decide which series of realiza- 



1. 2-state protocol 

In 1992 Charles H. Bennett noticed that actually 4 
states is more than necessary for QC: all what is really 
needed is 2 nonorthogonal states. Indeed the security re- 
lies on the impossibility for any adversary to distinguish 
unambiguously and without perturbation between the 
different states that Alice may send to Bob, hence 2 states 
are necessary and if they are incompatible (i.e. not mutu- 
ally orthogonal), then 2 states are also sufficient. This is 
a conceptually important clarification. It also made sev- 
eral of the first experimental demonstrations easier (this 
is further discussed in section IVD). But in practice it 
is not a good solution. Indeed, although 2 nonorthogo- 
nal states can't be distinguished unambiguously without 
perturbation, one can unambiguously distinguish them 
at the cost of some losses (Ivanovic 1987, Peres 1988). 
This possibility has even been demonstrated in practice 
(Huttner et al. 1996, Clarke et al. 2000). Hence, Alice 
and Bob would have to monitor the attenuation of the 



^Note however that Eve has to choose the interaction be- 
tween her probe and the qubits before the public discussion 
phase of the protocol. 

^°For a while it was thought that hit commitment (see, e.g.. 
Brassard 1988), a powerful primitive in cryptology, could be 
realized using quantum principles. However, Dominic Mayers 
(1996a and 1997) and Lo and Chan (1998) proved it to be 
impossible (see also Brassard et al. 1998). 

^'^Note that here the confidentiality is not guaranteed by 
the laws of physics, but relies on the assumption that Eve's 
technology is limited, e.g. her antenna is finite, her detectors 
have limited efficiencies. 



^^The idea is that Alice picks out several instances where she 
got the same bit and communicates the instances - but not 
the bit - to Bob. Bob replies yes only if it happens that for all 
these instances he also has the same bit value. For large error 
rates this is unlikely, but when it happens there is a large 
chance that both have the same bit. Eve can't influence the 
choice of the instances. All she can do is to use a majority 
vote for the cases accepted by Bob. The probability that Eve 
makes an error can be much larger than the probability that 
Bob makes an error (i.e. that all his instances are wrong), 
even if Eve's initial information is larger than Bob's. 



8 



quantum channel (and even this is not entirely safe if Eve 
could r eplace the channel by a more transparent one, see 
section VI H). The two-state protocol can also be im- 
plemented using an interference between a macroscopic 
bright pulse and a dim pulse with less than one photon on 
average (Bennett, 1992). The presence of the bright pulse 
makes this protocol specially resistant to eavesdropping, 
even in settings with high attenuation. Indeed Bob can 
monitor the bright pulses, to make sure that Eve does not 
remove any. In this case. Eve cannot eliminate the dim 
pulse without revealing her presence, because the inter- 
ference of the bright pulse with vacuum would introduce 
errors. A practical implementation of this protocol is 
discussed in section IVD. Huttner et al. extended this 



reference beam monitoring to the four-states protocol in 
1995. 



2. 6-state protocol 

While two states are enough and four states are stan- 
dard, a 6-state protocol respects much more the sym- 
metry of the qubit state space, see Fig. || (Bruss 1998, 
Bechmann-Pasquinucci and Gisin 1999). The 6 states 
constitute 3 bases, hence the probability that Alice and 
Bob chose the same basis is only of ^. But the symme- 
try of this protocol greatly simplifies the security anal- 
ysis and reduces Eve's optimal information gain for a 
given error rate QBER. If Eve measures every photon, 
the QBER is 33%, compared to 25% in the case of the 
BB84 protocol. 



3. EPR protocol 

This variation of the BB84 protocol is of special con- 
ceptual, historical and practical interest. The idea is due 
to Artur Ekert (1991) from Oxford University, who, while 
elaborating on a suggestion of David Dcutsch (1985), dis- 
covered QC independently of the BB84 paper. Intellec- 
tually, it is very satisfactory to see this direct connec- 
tion to the famous EPR paradox (Einstein, Podolski and 
Rosen 1935): the initially philosophical debate turned to 
theoretical physics with Bell's inequality (1964), then to 
experimental physics (Freedmann and Clauser 1972, Fry 
and Thompson 1976, and Aspect, Dalibard and Roger 
1982), and is now - thanks to Ekert's ingenious idea ~ 
part of applied physics. 

The idea consists in replacing the quantum channel 
carrying qubits from Alice to Bob by a channel carrying 
2 qubits from a common source, one qubit to Alice and 
one to Bob. A first possibility would be that the source 
emits the two qubits always in the same state chosen ran- 
domly among the 4 states of the BB84 protocol. Alice 
and Bob would then both measure their qubit in one of 
the two bases, again chosen independently and randomly. 
The source then announces the bases and Alice and Bob 



keep the data only when they happen to have done their 
measurements in the compatible basis. If the source is 
reliable, this protocol is equivalent to the BB84 one: Ev- 
ery thing is as if the qubit propagates backwards in time 
from Alice to the source, and then forwards to Bob! But 
better than trusting the source, which could be in Eve's 
hand, the Ekert protocol assumes that the 2 qubits are 
emitted in a maximally entangled state like: 



1 

71 



(I T,T) + U,i)). 



(9) 



Then, when Alice and Bob happen to use the same basis, 
both the x-basis or both the y-basis, i.e. in about half 
of the cases, their results are identical, providing them 
with a common key. Note the similarity between the 1- 
qubit BB84 protocol illustrated in Fig. ^ and the 2-qubit 
Ekert protocol of Fig. ||. The analogy can be even made 
stronger by noting that for all unitary evolutions Ui and 
the following equality hold: 



(10) 



where C/f denotes the transpose. 

In his 1991 paper Artur Ekert suggested to base the 
security of this 2-qubit protocol on Bell's inequality, an 
inequality which demonstrates that some correlation pre- 
dicted by quantum mechanics can't be reproduced by 
any local theory (Bell 1964). For this, Alice and Bob 
have a third choice of basis (see Fig. ^). In this way the 
probability that they happen to choose the same basis 
is reduced from ^ to |, but at the same time as they 
establish a key they collect enough data to test Bell in- 
equality^. They can thus check that the source really 
emits the entangled state (||) and not merely product 
states. The following year Bennett, Brassard and Mer- 
min (1992b) criticized Ekert's letter, arguing that the 
violation of Bell inequality is not necessary for the secu- 
rity of QC and emphasizing the close connection between 
the Ekert and the BB84 schemes. This criticism might 
be missing an important point. Indeed, although the ex- 
act relation between security and Bell inequality is not 
yet fully known, there are clear results establishing fasci- 
nating connections, (see section VI F). In October 1992, 
an article by Bennett, Brassard and Ekert demonstrated 
that the founding fathers joined forces to develop the field 
in a pleasant atmosphere (Bennett et al. 1992c)! 



^•^A maximal violation of Bell inequality is necessary to rule 
out tampering by Eve. In this case, the QBER must nec- 
essarily be equal to zero. With a non-maximal violation, as 
typically obtained in experimental systems, Alice and Bob 
can distil a secure key using error correction and privacy 
amplification. 



9 



4- Other variations 

There is a large collection of variations around the 
BB84 protocol. Let us mention a few, chosen somewhat 
arbitrarily. First, one can assume that the two bases 
are not chosen with equal probability (Ardehali et al. 
1998). This has the nice consequence that the proba- 
bility that Alice and Bob choose the same basis is larger 
than i , increasing thus the transmission rate of the sifted 
key. However, this protocol makes Eve's job easier as she 
is more likely to guess correctly the used basis. Conse- 
quently, it is not clear whether the final key rate, after 
error correction and privacy amplification, is higher or 
not. 

Another variation consists in using quantum systems of 
dimension larger than 2 (Bechmann-Pasquinucci and Tit- 
tel 2000, Bechmann-Pasquinucci and Peres 2000, Bouren- 
nane et al. 2001a). Again, the practical value of this idea 
has not yet been fully determined. 

A third variation worth mentioning is due to Gold- 
enberg and Vaidman, from Tel- Aviv University (1995). 
They suggested to prepare the qubits in a superposition 
of two spatially separated states, then to send one compo- 
nent of this superposition and to wait until Bob received 
it before sending the second component. This doesn't 
sound of great practical value, but has the nice concep- 
tual feature that the minimal two states do not need to 
be mutually orthogonal. 



E. Quantum teleportation as "Quantum 
one-time-pad" 

Since its discovery in 1993 by a surprisingly large 
group of physicists. Quantum teleportation (Bennett et 
al. 1993) received a lot of attention in the scientific com- 
munity as well as in the general public. The dream of 
beaming travellers through the Universe is exciting, but 
completely out of the realm of any foreseeable technol- 
ogy. However, quantum teleportation can be seen as the 
fully q uantum version of the one-time-pad, see paragraph 



nB3 



hence as the ultimate form of QC. Similarly to 
"classical teleportation", let's assume that Alice aims at 
transferring to Bob a faithful copy of a quantum system. 
If Alice has full knowledge of the quantum state, the 
problem is not really a quantum one (Alice information 
is classical). If, on the opposite, Alice does not know the 
quantum state, she cannot send a copy, since quantum 
copying is impossible according to quantum physics (see 



paragraph [1 C 2 ) . Nor can she send classical instructions. 



since this would allow the production of many copies. 
However, if Alice and Bob share arbitrarily many entan- 
gled qubits, sometimes called a quantum key, and share a 
classical communication channel then the quantum tele- 
portation protocol provides them with a mean to transfer 
the quantum state of the system from Alice to Bob. In 
the course of running this protocol, Alice's quantum sys- 



tem is destroyed without Alice learning anything about 
the quantum state, while Bob's qubit ends in a state 
isomorphic to the state of the original system (but Bob 
doesn't learn anything about the quantum state). If the 
initial quantum system is a quantum message coded in 
the form of a sequence of qubits, then this quantum mes- 
sage is faithfully and securely transferred to Bob, without 
any information leaking to the outside world (i.e. to any- 
one not sharing the prior entanglement with Alice and 
Bob). Finally, the quantum message could be formed of 
a 4 letter quantum alphabet constituted by the 4 states 
of the BB84 protocol. With futuristic, but not impossi- 
ble technology, Alice and Bob could have their entangled 
qubits in appropriate wallets and could establish a totally 
secure communication at any time, without even having 
to know where the partner is located (provided they can 
communicate classically) . 



F. Optical amplification, quantum nondemolition 
measurements and optimal quantum cloning 

After almost every general talk on QC, two questions 
arise: what about optical amplifiers? and what about 
quantum nondemolition measurements? In this section 
we briefly address these questions. 

Let us start with the second one, being the easiest. The 
terminology "quantum nondemolition measurement" is 
simply a confusing one! There is nothing like a quan- 
tum measurement that does not perturb (i.e. modify) 
the quantum state, except if the state happens to be an 
eigenstate of the observable. Hence, if for some reason 
one conjectures that a quantum system is in some state 
(or in a state among a set of mutually orthogonal ones), 
this can be in principle tested repeatedly (Braginsky and 
Khalili 1992). But if the state is only restricted to be in 
a finite set containing non-orthogonal states, as in QC, 
then there is no way to perform a measurement without 
"demolishing" (perturbing) the state. Now, in QC the 
terminology "nondemolition measurement" is also used 
with a different meaning: one measures the number of 
photons in a pulse without affecting the degree of free- 
dom coding the qubit (e.g. the polarization), (see section 
VI H), or one detects the presence of a photon without 
destroying it (Nogues et al. 1999). Such measurements 
are usually called "ideal measurements", or "projective 
measurements" , because they produce the least possible 



perturbation (Piron 1990) and because they can be repre- 
sented by projectors. It is important to stress that these 
"ideal measurements" do not invalidate the security of 
QC. 

Let us consider now optical amplifiers (a laser medium, 
but without mirrors, so that amplification takes place in 
a single pass, see Desurvire 1994). They are widely used 
in today's optical communication networks. However, 
they are of no use for quantum communication. Indeed, 
as seen in section [IC, the copying of quantum informa- 



tion is impossible. Here we illustrate this characteristic 



10 



of quantum information with the example of optical am- 
plifiers: the necessary presence of spontaneous emission 
whenever there is stimulated emission, prevents perfect 
copying. Let us clarify this important and often confus- 
ing point, following the work of Simon et al. (1999 and 
2000; see also Kempe et al. 2000, and De Martini et al. 
2000). Let the two basic qubit states |G) and |1) be physi- 
cally implemented by two optical modes: |0) = |1, 0) and 
|1) = |0, 1). \n,m)ph ® \k,l)a denotes thus the state of 
n photons in mode 1 and m in mode 2, and fc, ? = (1) 
the ground (excited) state of 2-lcvel atoms coupled to 
mode 1 and 2, respectively. Hence spontaneous emission 
corresponds to 



|0,0)p,,(^ |l,0)a ^ |l,O)p^0 |0,0)a, 
\0,Q)ph®\Q,l)a^\QA)ph®\Q,Q)a 



and stimulated emission to 



|l,0)pft® |l,0>a 
\Q,l)ph®\Q,l)a 



V2\2,Q)ph®\0,Q)a, 
\/2|0,2)p,,® |0,0)a 



(11) 

(12) 



(13) 
(14) 



where the \/2 factor takes into account the ratio stimu- 
lated/spontaneous emission. Let the initial state of the 
atom be a mixture of the following two states (each with 
equal weight 50%): 



|0,l)a 



|l,0)a 



(15) 



By symmetry, it suffices to consider one possible initial 
state of the qubit, e.g. 1 photon in the first mode |1, Q)ph- 
The initial state of the photon-|-atom system is thus a 
mixture: 

\l,0)ph®\lAa or \l,Q)ph®\Q,l)a (16) 

This corresponds to the first order term in an evolution 
with a Hamiltonian (in the interaction picture): H = 
x(a|cr]^ + aia\ + a\iy2 + 020"!). After some time the 
2-photon component of the evolved states reads: 

V2|2,0)pft® |0,0)a or |l,l)p,,® |0,0)a (17) 

The correspondence with a pair of spin i goes as follows: 

|2,0> = |TT) |0,2> = Ui) (18) 



■ph jnode 



j^2Pi 



TT 



2^T + 



The corresponding fidelity is: 



F 



6 



(21) 



(22) 



which is precisely the optimal fidelity compatible with 
quantum mechanics (Buzek and Hillery 1996, Bruss et 
al 1998, Gisin and Massar 1997). In other words, if we 
start with a single photon in an arbitrary state, and pass 
it through an amplifier, then due to the effect of sponta- 
neous emission the fidelity of the state exiting the ampli- 
fier, in the cases where it consists of exactly two photons, 
with the initial state will be equal to at most 5/6. Note 
that if it were possible to make better copies, then, using 
EPR correlations between spatially separated systems, 
signaling at arbitrarily fast speed would also be possible 
(Gisin 1998). 



ii,i),. = v(+) = -^(in) + UT)) (19) 

Tracing over the amplifier (i.e. the 2-level atom), an 
(ideal) amplifier achieves the following transformation: 

Ft ^ 2P„ + P^(+) (20) 

where the P's indicate projectors (i.e. pure state density 
matrices) and the lack of normalization results from the 
first order expansion used in ( pi] ) to (|l^). Accordingly, 
after normalization, each photon is in state : 



11 



III. TECHNOLOGICAL CHALLENGES 

The very first demonstration of QC was a table top ex- 
periment performed at the IBM laboratory in the early 
1990's over a distance of 30 cm (Bennett et al. 1992a), 
marking the start of impressive experimental improve- 
ments during the last years. The 30 cm distance is of 
little practical interest. Either the distance should be 
even shorter, think of a credit card and the ATM ma- 
chine (Huttner et al. 1996b), but in this case all of Al- 
ice's components should fit on the credit card. A nice 
idea, but still impractical with present technology. Or 
the distance should be much longer, at least in the km 
range. Most of the research so far uses optical fibers to 
guide the photons from Alice to Bob and we shall mainly 
concentrate here on such systems. There is, however, also 
some very significant research on free space systems, (see 
section IV E). 

Once the medium is chosen, there remain the questions 
of the source and detectors. Since they have to be com- 
patible, the crucial choice is the wavelength. There are 
two main possibilities. Either one chooses a wavelength 
around 800 nm where efficient photon counters are com- 
mercially available, or one chooses a wavelength compat- 
ible with today's telecommunication optical fibers, i.e. 
near 1300 nm or 1550 nm. The first choice requires free 
space transmission or the use of special fibers, hence the 
installed telecommunication networks can't be used. The 
second choice requires the improvement or development 
of new detectors, not based on silicon semiconductors, 
which are transparent above 1000 nm wavelength. 

In case of transmission using optical fibers, it is still 
unclear which of the two alternatives will turn out to be 
the best choice. If QC finds niche markets, it is conceiv- 
able that special fibers will be installed for that purpose. 
But it is equally conceivable that new commercial detec- 
tors will soon make it much easier to detect single pho- 
tons at telecommunication wavelengths. Actually, the 
latter possibility is very likely, as several research groups 
and industries are already working on it. There is an- 
other good reason to bet on this solution: the quality 
of telecommunication fibers is much higher than that of 
any special fiber, in particular the attenuation is much 
lower (this is why the telecommunication industry chose 
these wavelengths): at 800 nm, the attenuation is about 
2 dB/km (i.e. half the photons are lost after 1.5 km), 
while it is only of the order of 0.35 and 0.20 dB/km at 
1300 nm and 1550 nm, respectively (50% loss after about 
9 and 15 km) 

In case of free space transmission, the choice of wave- 
length is straightforward since the region where good 
photon detectors exist - around 800 nm - coincides with 



the one where absorption is low. However, free space 
transmission is restricted to line-of sight links and is very 
weather dependent. 

In the next sections we successively consider the ques- 
tions "how to produce single phot ons?" (section III A), 



"how to transmit them?" (sect ion |III B| ) , "how to detect 



single photons?" (section III C| ), and finally "how to ex- 
ploit the intrinsic randomness of quantum processes to 
build random generators?" (section HID). 



A. Photon sources 

Optical quantum cryptography is based on the use of 
single photon Fock states. Unfortunately, these states 
are difficult to realize experimentally. Nowadays, practi- 
cal implementations rely on faint laser pulses or entan- 
gled photon pairs, where both the photon as well as the 
photon-pair number distribution obeys Poisson statistics. 
Hence, both possibilities suffer from a small probability 
of generating more than one photon or photon pair at 
the same time. For large losses in the quantum chan- 
nel even small fractions of these multi-photons can have 
import ant co nsequences on the security of the key (see 
section VIH ), lea ding to interest in "photon guns", see 
paragraph [II A 3 ) . In this section we briefiy comment 



on sources based on faint pulses as well as on entan- 
gled photon-pairs, and we compare their advantages and 
drawbacks. 



1. Faint laser pulses 

There is a very simple solution to approximate single 
photon Fock states: coherent states with an ultra-low 
mean photon number /i. They can easily be realized us- 
ing only standard semiconductor lasers and calibrated 
attenuators. The probability to find n photons in such a 
coherent state follows the Poisson statistics: 



P(n, At) 



(23) 



Accordingly, the probability that a non-empty weak co- 
herent pulse contains more than 1 photon. 



P{n > l\n >0,n) = 



i-p(o,m)-p(i,m) 



l-P(0,/i) 
- e-^(l + fi) ^ 



2 



(24) 



^'^ The losses in dB (Idb) can be calculated from the losses in 
percent (1%): IdB 



can be made arbitrarily small. Weak pulses are thus ex- 
tremely practical and have indeed been used in the vast 
majority of experiments. However, they have one ma- 
jor drawback. When /i is small, most pulses are empty: 
P{n = 0) « 1 — /X. In principle, the resulting decrease in 
bit rate could be compensated for thanks to the achiev- 
able GHz modulation rates of telecommunication lasers. 



12 



But in practice the problem comes from the detectors' 
dark counts (i.e. a click without a photon arriving). 
Indeed, the detectors must be active for all pulses, in- 
cluding the empty ones. Hence the total dark counts 
increase with the laser's modulation rate and the ratio 
of the detected photons over the dark counts (i.e. the 



signal to noise ratio) decreases with /i (see section IV A). 
The problem is especially severe for longer wavelengths 
where photon detectors based on Indium Gallium Ar- 
senide semiconductors (InGaAs) are needed (see section 
III C| ) since the noise of these detectors explodes if they 
are opened too frequently (in practice with a rate larger 
than a few MHz). This prevents the use of really low 
photon numbers, smaller than approximately 1%. Most 
experiments to date relied on /i = 0.1, meaning that 5% 
of the nonempty pulses contain more than one photon. 
However, it is important to stress that, as pointed out 
by Liitkenhaus (2000), there is an optimal /i depending 
on the transmission losses |^ After key distillation, the 
security is just as good with faint laser pulses as with 
Fock states. The price to pay for using such states lies in 
a reduction of the bit rate. 



2. Photon pairs generated by parametric downconversion 

Another way to create pseudo single-photon states is 
the generation of photon pairs and the use of one photon 
as a trigger for the other one (Hong and Mandel 1986). 
In contrast to the sources discussed before, the second 
detector must be activated only whenever the first one 
detected a photon, hence when /i = 1, and not whenever 
a pump pulse has been emitted, therefore circumventing 
the problem of empty pulses. 

The photon pairs are generated by spontaneous para- 
metric down conversion in a x^^^ non-linear crystal^. In 
this process, the inverse of the well-known frequency dou- 
bling, one photon spontaneously splits into two daughter 
photons - traditionally called signal and idler photon - 
conserving total energy and momentum. In this con- 
text, momentum conservation is called phase matching, 
and can be achieved despite chromatic dispersion by ex- 
ploiting the birefringence of the nonlinear crystal. The 
phase matching allows to choose the wavelength, and de- 
termines the bandwidth of the downconverted photons. 



'^^Contrary to a frequent misconception, there is nothing spe- 
cial about a /i value of 0.1, eventhough it has been selected 
by most experimentalists. The optimal value - i.e. the value 
that yields the highest key exchange rate after distillation - 
depends on the optical losses in t he ch anne l and on assump- 
tions about Eve's technology (see 



VI H 



and 



VII) 



The latter is in general rather large and varies from a few 
nanometers up to some tens of nanometers. For the non 
degenerate case one typically gets 5-10 nm, whereas in 
the degenerate case (central frequency of both photons 
equal) the bandwidth can be as large as 70 nm. 

This photon pair creation process is very inefhcient, 
typically it needs some 10^" pump photons to create one 
pair in a given mode[^. The number of photon pairs per 
mode is thermally distributed within the coherence time 
of the photons, and follows a poissonian distribution for 
larger time windows (Walls and Milburn 1995). With a 
pump power of 1 mW, about 10^ pairs per second can 
be collected in single mode fibers. Accordingly, in a time 
window of roughly Ins the conditional probability to find 
a second pair having detected one is 10^ • 10~^ ~ 0.1%. 
In case of continuous pumping, this time window is given 
by the detector resolution. Tolerating, e.g. 1% of these 
multi-pair events, one can generate 10'' pairs per second, 
using a realistic 10 mW pump. Detecting for example 
10 % of the trigger photons, the second detector has to 
be activated 10^ times per second. In comparison, the 
example of 1% of multi-photon events corresponds in the 
case of faint laser pulses to a mean photon number of /i = 
0.02. In order to get the same number 10^ of non-empty 
pulses per second, a pulse rate of 50 MHz is needed. For a 
given photon statistics, photon pairs allow thus to work 
with lower pulse rates (e.g. 50 times lower) and hence 
reduced detector-induced errors. However, due to limited 
coupling efficiency into optical fibers, the probability to 
find the sister photon after detection of the trigger photon 
in the respective fiber is in practice lower than 1. This 
means that the effective photon number is not one, but 
rather /x « 2/3 (Ribordy et al. 2001), still well above 
^l = 0.02. 

Photon pairs generated by parametric down conversion 
offer a further major advantage if they are not merely 
used as pseudo single-photon source, but if their entan- 
glement is exploited. Entanglement leads to quantum 
correlation s whic h can be used for key generation, (see 
paragraph H D 3| and chapter 0). In this case, if two pho- 
ton pairs are emitted within the same time window but 
their measurement basis is choosen independently, they 
produce completely uncorrelated results. Hence, depend- 
ing on the realization, t he pr oblem of multiple photon can 



be avoided, see section VI J . 

Figure ^ shows one of our sources creating entangled 
photon pairs at 1310 nm wavelength as used in tests of 
Bell inequalities over 10 kilometers (Tittel et al. 1998). 
Although not as simple as faint laser sources, diode 
pumped photon pair sources emitting in the near infrared 
can be made compact, robust and rather handy. 



For a review see Rarity and Tapster 1988, and for latest 
developments Tittel et al. 1999, Kwiat et al. 1999, Jennewein 
et al. 2000b, Tanzilli et al. 2001. 



^^Recently we achieved a conversion rate of 10 using an 
optical waveguide in a periodically poled LiNbOs crystal 
(Tanzilh et al. 2001). 



13 



3. Photon guns 

The ideal single photon source is a device that when 
one pulls the trigger, and only then, emits one and only 
one photon. Hence the name photon gun. Although pho- 
ton anti-bunching has been demonstrated already years 
ago (Kimble et al. 1977), a practical and handy device is 
still awaited. At present, there are essentially three dif- 
ferent experimental approaches that come more or less 
close to this ideal. 

A first idea is to work with a single two-level quan- 
tum system that can obviously not emit two photons at 
a time. The manipulation of single trapped atoms or 
ions requires a much too involved technical effort. Sin- 
gle organics dye molecules in solvents (S.C. Kitson et al. 
1998) or sohds (Brunei et al. 1999, Fleury et al. 2000) 
are easier to handle but only offer limited stability at 
room temperature. Promising candidates, however, are 
nitrogen- vacancy centers in diamond, a substitutional ni- 
trogen atom with a vacancy trapped at an adjacent lat- 
tice position (Kurtsiefer et al. 2000, Brouri et al. 2000). 
It is possible to excite individual nitrogen atoms with a 
532 nm laser beam, which will subsequently emit a fluo- 
rescence photon around 700 nm (12ns decay time). The 
fluorescence exhibits strong photon anti-bunching and 
the samples are stable at room temperature. However, 
the big remaining experimental challenge is to increase 
the collection efficiency (currently about 0.1%) in order 
to obtain mean photon numbers close to 1. To obtain 
this, an optical cavity or a photonic bandgap structure 
must suppress the emission in all spatial modes but one. 
In addition, the spectral bandwith of this type of source 
is broad (of the order of 100 nm), enhancing the effect of 
pertubations in a quantum channel. 

A second approach is to generate photons by single 
electrons in a mesoscopic p-n junction. The idea is to 
take profit of the fact that thermal electrons show anti- 
bunching (Pauli exclusion principle) in contrast to pho- 
tons (Imamoglu and Yamamoto, 1994). First experimen- 
tal results have been presented (Kim et al. 1999), how- 
ever with extremely low efficiencies, and only at a tem- 
perature of 50mK! 

Finally, another approach is to use the photon emis- 
sion of electron-hole pairs in a semiconductor quantum 
dot. The frequency of the emitted photon depends on the 
number of electron- hole pairs present in the dot. After 
one creates several such pairs by optical pumping, they 
will sequentially recombine and hence emit photons at 
different frequencies. Therefore, by spectral filtering a 
single-photon pulse can be obtained (Gerard et al. 1999, 
Santori et al. 2000, and Michler et al. 2000). These dots 
can be integrated in solid-states microcavities with strong 
enhancements of the spontaneous emission (Gerard et al. 
1998). 

In summary, today's photon guns are still too compli- 
cated to be used in a QC-prototype. Moreover, due to 
their low quantum efficiencies they do not offer an ad- 



vantage with respect to faint laser pulses with extremely 
low mean photon numbers /i. 

B. Quantum channels 

The single photon source and the detectors must be 
connected by a "quantum channel" . Such a channel is 
actually nothing specially quantum, except that it is in- 
tended to carry information encoded in individual quan- 
tum systems. Here "individual" doesn't mean "non- 
decomposible" , it is meant in opposition to "ensemble" . 
The idea is that the information is coded in a physical 
system only once, contrary to classical communication 
where many photons carry the same information. Note 
that the present day limit for fiber-based classical optical 
communication is already down to a few tens of photons, 
although in practice one usually uses many more. With 
the increasing bit rate and the limited mean power - im- 
posed to avoid nonlinear effects in silica fibers - these 
figures are likely to get closer and closer to the quantum 
domain. 

The individual quantum systems are usually 2-level 
systems, called qubits. During their propagation they 
must be protected from environmental noise. Here "en- 
vironment" refers to everything outside the degree of 
freedom used for the encoding, which is not necessar- 
ily outside the physical system. If, for example, the in- 
formation is encoded in the polarization state, then the 
optical frequencies of the photon is part of the environ- 
ment. Hence, coupling between the polarization and the 
optical frequency has to be mastered^ (e.g. avoid wave- 
length sensitive polarizers and birefringence). Moreover, 
the sender of the qubits should avoid any correlation be- 
tween the polarization and the spectrum of the photons. 

Another difficulty is that the bases used by Alice to 
code the qubits and the bases used by Bob for his mea- 
surements must be related by a known and stable uni- 
tary transformation. Once this unitary transformation 
is known, Alice and Bob can compensate for it and get 
the expected correlation between their preparations and 
measurements. If it changes with time, they need an ac- 
tive feedback to track it, and if the changes are too fast 
the communication must be interrupted. 

1. Singlemode fibers 

Light is guided in optical fibers thanks to the refrac- 
tive index profile n{x,y) across the section of the fibers 
(traditionally, the z-axis is along the propagation direc- 
tion). Over the last 25 years, a lot of effort has been 



Note that, as we will see in chapter |y|, using entangled 
photons prevents such information leakage. 



14 



made to reduce transmission losses - initially several dB 
per km -, and nowadays, the attenuation is as low as 
2dB/km at 800nm wavelength, 0.35 dB/km at 1310 nm, 
and 0.2 dB/km at 1550 nm (see Fig. ||). It is amusing 
to note that the dynamical equation describing optical 
pulse propagation (in the usual slowly varying envelope 
aproximation) is identical to the Schrodinger equation, 
with V{x,y) — —n{x,y) (Snyder 1983). Hence a positive 
bump in the refractive index corresponds to a potential 
well. The region of the well is called the fiber core. If 
the core is large, many bound modes exist, correspond- 
ing to many guided modes in the fiber. Such fibers are 
called multimode fibers, their core being usually 50 mi- 
crometer in diameter. The modes couple easily, acting 
on the qubit like a non- isolated environment. Hence mul- 
timode fibers are not appropriate as quantum channels 
(see however Townsend 1998a and 1998b). If, however, 
the core is small enough (diameter of the order of a few 
wavelengths) then a single spatial mode is guided. Such 
fibers are called singlemode fibers. For telecommunica- 
tions wavelength (i.e. 1.3 and 1.5 /im), their core is typ- 
ically 8 /zm in diameter. Singlemode fibers are very well 
suited to carry single quanta. For example, the optical 
phase at the output of a fiber is in a stable relation with 
the phase at the input, provided the fiber doesn't get 
elongated. Hence, fiber interferometers are very stable, a 
fact exploited in many instruments and sensors (see, e.g., 
Cancelheri 1993). 

Accordingly, a singlemode fiber with perfect cylindric 
symmetry would provide an ideal quantum channel. But 
all real fibers have some asymmetries and then the two 
polarization modes are no longer degenerate but each has 
its own propagation constant. A similar effect is caused 
by chromatic dispersion, where the group delay depends 
on the wavelength. Both dispersion effects are the sub- 
ject of the next paragraphs. 

2. Polarization effects in singlemode fibers 

Polarization effects in singlemode fibers are a common 
source of problems in all optical communication schemes, 
as well classical as quantum ones. In recent years this has 
been a major topic for R&D in classical optical commu- 
nication (Gisin et al. 1995). As a result, today's fibers 
are much better than the fibers a decade ago. Nowa- 
days, the remaining birefringence is small enough for the 
telecom industry, but for quantum communication, any 
birefringence, even extremely small, will always remain 
a concern. All fiber based implementations of QC have 
to face this problem. This is clearly true for polarization 
based systems; but it is equally a concern for phase based 
systems, since the interference visibility depends on the 
polarization states. Hence, although polarization effects 
are not the only source of difficulties, we shall describe 
them in some detail, distinguishing between 4 effects: the 
geometrical one, birefringence, polarization mode disper- 



sion and polarization dependent losses. 

The Geometric phase as encountered when guiding 
light in an optical fiber is a special case of the Berry 
phase^ which results when any parameter describing a 
property of the system under concern, here the fc-vector 
characterizing the propagation of the light field, under- 
goes an adiabatic change. Think first of a linear polar- 
ization state, let's say vertical at the input. Will it still 
be vertical at the output? Vertical with respect to what? 
Certainly not the gravitational field! One can follow that 
linear polarization by hand along the fiber and see how 
it may change even along a closed loop. If the loop stays 
in a plane, the state after a loop coincides with the input 
state. But if the loop explores the 3 dimensions of our 
space, then the final state will differ from the initial one 
by an angle. Similar reasoning holds for the axes of el- 
liptical polarization states. The two circular polarization 
states are the eigenstates: during parallel transport they 
acquire opposite phases, called the Berry phase. The 
presence of a geometrical phase is not fatal for quantum 
communication, it simply means that initially Alice and 
Bob have to align their systems by defining for instance 
the vertical and diagonal directions (i.e. performing the 
unitary transformation mentioned before). If these vary 
slowly, they can be tracked, though this requires an ac- 
tive feedback. However, if the variations are too fast, 
the communication might be interrupted. Hence, aerial 
cables that swing in the wind are not appropriate (ex- 
cept w ith selfcompensating configurations, see paragraph 
IVC2D . 

Birefringence is the presence of two different phase 
velocities for two orthogonal polarization states. It is 
caused by asymmetries in the fiber geometry and in the 
residual stress distribution inside and around the core. 
Some fibers are made birefringent on purpose. Such 
fibers are called polarization maintaining (PM) fibers be- 
cause the birefringence is large enough to effectively un- 
couple the two polarization eigenmodes. But note that 
only these two orthogonal polarization modes are main- 
tained; all the other modes, on the contrary, evolve very 
quickly, making this kind of fiber completely unsuitable 
for polarization-based QC systems^. The global effect 
of the birefringence is equivalent to an arbitrary com- 
bination of two waveplates, that is, it corresponds to a 
unitary transformation. If this transformation is stable. 



^ Introduced by Michael Berry in 1984, then observed in 
optical fiber by Tomita and Chiao (1986), and on the single 
photon level by Hariharan et al. (1993), studied in connection 
to photon pairs by Brendel et al. (1995). 

■^°PM fibers might be of use for phase based QC systems. 
However, this requires the whole setup - transmission lines 
as well as interferometers at Alice's and Bob's - to be made 
of PM fibers. While this is principally possible, the need of 
installing a completely new fiber network makes this solution 
not very practical. 



15 



Alice and Bob can compensate for it. The effect of bire- 
fringence is thus similar to the geometrical effect, though, 
in addition to a rotation, it may also affect the elliptic- 
ity. Stability of birefringence requires slow thermal and 
mechanical variations. 

Polarization Mode Dispersion (PMD) is the pres- 
ence of two different group velocities for two orthogonal 
polarization modes, ft is due to a delicate combination 
of two causes. First, birefringence produces locally two 
group velocities. For optical fibers, this local modal dis- 
persion is in good approximation equal to the phase dis- 
persion, of the order of a few ps/km. Hence, locally an 
optical pulse tends to split into a fast mode and a slow 
mode. But because the birefringence is small, the two 
modes couple easily. Hence any small imperfection along 
the fiber produces polarization mode coupling: some en- 
ergy of the fast mode couples into the slow mode and 
vice- versa. PMD is thus similar to a random walkp^ and 
grows only with the square root of the fiber length, ft 



is expressed in 



ps 



with values as low as 0.1 



ps 
s/ km 



for 



modern fibers and possibly as high as 0.5 or even 1 
for older ones. 

Typical lengths for the polarization mode coupling 
vary from a few meters up to hundreds of meters. The 
stronger the coupling, the weaker the PMD (the two 
modes do not have time to move away between the cou- 
plings). In modern fibers, the couplings are even artifi- 
cially increased during the drawing process of the fibers 
(Hart et al. 1994, Li and Nolan 1998). Since the cou- 
plings are exceedingly sensitive, the only reasonable de- 
scription is a statistical one, hence PMD is described as 
a statistical distribution of delays St. For long enough 
fibers, the statistics is Maxwellian and PMD is related to 
the fiber length £, the mean coupling length h, the mean 
modal birefringence B and to the RMS delay as follows 
PMD= 



(Gisin et al. 1995): PMD= V« St^» = Bh^i/h. 
PMD could cause depolarization which would be devas- 
tating for quantum communication, similar to any deco- 
herence in quantum information processing. But fortu- 
nately, for quantum communication the remedy is easy, it 
suffices to use a source with a coherence time larger than 
the largest delay St. Hence, when laser pulses are used 
(with typical spectral widths AA < 1 nm, corresponding 



to a coherence time > 3 ps, see paragraph [H A 1 ), PMD 
is no real problem. For photons created by parametric 
down conversion, however, PMD can impose severe lim- 
itations since AA > 10 nm (coherence time < 300 fs) is 
not unusual. 

Polarization Dependent Losses (PDL) is a differ- 
ential attenuation between two orthogonal polarization 
modes. This effect is negligible in fibers, but can be sig- 



In contrast to Brownian motion describing particles diffu- 
sion in space as time passes, here photons diffuse in time as 
they propagate along the fiber. 



nificant in components like phase modulators. In par- 
ticular, some integrated optics waveguides actually guide 
only one mode and thus behave almost like polarizers 
(e.g. proton exchange waveguides in LiNbOs). PDL 
is usually stable, but if connected to a fiber with some 
birefringence, the relation between the polarization state 
and the PDL may fluctuate, producing random outcomes 
(Elamari et al. 1998). PDL cannot be described by a uni- 
tary operator acting in the polarization state space (but 
it is of course unitary in a larger space (Huttner et al. 
1996a). It does thus not preserve the scalar product. In 
particular, it can turn non-orthogonal states into orthog- 
onal ones which can then be distinguished unambiguously 
(at the cost of some loss) (Huttner et al. 1996a, Clarke et 
al. 2000). Note that this could be used by Eve, s pecial ly 
to eavesdrop on the 2-state protocol (paragraph II D 1 ) . 

Let us conclude this paragraph on polarization effects 
in fibers by mentioning that they can be passively com- 
pensated, provided one uses a go-&-return configuration, 
using Faraday mirrors, as described in section IV C 2. 



3. Chromatic dispersion effects in singlemode fibers 

In addition to polarization effects, chromatic disper- 
sion (CD) can cause problems for quantum cry ptogra phy 
as w ell. For instance, as explained in sections IV C and 
|VB| , schemes implementing phase- or phase-and-time- 
coding rely on photons arriving at well defined times, 
that is on photons well localized in space. However, in 
dispersive media like optical fibers, different group ve- 
locities act as a noisy environment on the localization of 
the photon as well as on the phase acquired in an inter- 
ferometer. Hence, the broadening of photons featuring 
non-zero bandwidth, or, in other words, the coupling be- 
tween frequency and position must be circumvented or 
controlled. This implies working with photons of small 
bandwidth, or, as long as the bandwidth is not too large, 
operating close to the wavelength Aq where chromatic 
dispersion is zero, i.e. for standard fibers around 1310 
nm. Fortunately, fiber losses are relatively small at this 
wavelength and amount to «0.35 dB/km. This region 
is called the second telecommunication windowp^ There 
are also special fibers, called dispersion-shifted, with a 
refractive index profile such that the chromatic disper- 
sion goes to zero around 1550 nm, where the attenuation 
is minimal (Neumann 1988)^. 



■^^The first one, around 800 nm, is almost no longer used. It 
was motivated by the early existence of sources and detectors 
at this wavelength. The third window is around 1550 nm 
where the attenuation reaches an absolute minimum (Thomas 
et al. 2000) and where erbium doped fibers provide convenient 
amplifiers (Desurvire 1994). 

^■^ Chromatic dispersion in fibers is mainly due to the mate- 
rial, essentially silicon, but also to the refractive index profile. 



16 



CD does not constitute a problem in case of faint laser 
pulses where the bandwidth is small. However, it be- 
comes a serious issue when utilizing photon pairs cre- 
ated by parametric downconversion. For instance, send- 
ing photons of 70 nm bandwidth (as used in our long- 
distance Bell inequality tests, Tittel et al. 1998) down 
10 km of optical fibers leads to a temporal spread of 
around 500 ps (assuming photons centered at Aq and a 
typical dispersion slope of 0.086 ^^/^.^ ) . However, this 
can be compensated for when using energy-time entan- 
gled photons (Franson 1992, Steinberg et al. 1992a and 
1992b, Larchuk et al. 1995). In contrast to polariza- 
tion coding where frequency and the physical property 
used to implement the qubit are not conjugate variables, 
frequency and time (thus position) constitute a Fourier 
pair. The strict energy anti-correlation of signal and idler 
photon enables one to achieve a dispersion for one pho- 
ton which is equal in magnitude but opposite in sign to 
that of the sister photon, corresponding thus to the same 
delay^ (see Fig. ^ . The effect of broadening of the two 
wave packets then cancels out and two simultaneously 
emitted photons stay coincident. However, note that the 
arrival time of the pair varies with respect to its emission 
time. The frequency anticorrelation provides also the 
basis for avoiding decrease of visibility due to different 
wavepacket broadening in the two arms of an interferom- 
eter. And since the CD properties of optical fibers do 
not change with time - in contrast to birefringence - no 
on-line tracking and compensation is required. It thus 
turns out that phase and phase-time coding is particu- 
larly suited to transmission over long distances in optical 
fibers: nonlinear effects decohering the qubit "energy" 
are completely negligible, and CD effects acting on the 
localization can be avoided or compensated for in many 
cases. 



4. Free-space links 

Although telecommunication based on optical fibers is 
very advanced nowadays, such channels may not always 
be available. Hence, there is also some effort in devel- 
oping free space line-of-sight communication systems - 
not only for classical data transmission but for quantum 
cryptography as well (see Hughes et al. 2000a and Gor- 
man et al. 2000). 



Indeed, longer wavelengths feel regions further away from the 
core where the refractive index is lower. Dispersion-shifted 
fibers have, however, been abandoned by today's industry, be- 
cause it turned out to be simpler to compensate for the global 
chromatic dispersion by adding an extra fiber with high neg- 
ative dispersion. The additional loss is then compensated by 
an erbium doped fiber amplifier. 

Assuming a predominantly linear dependence of CD in 
function of the optical frequency, a realistic assumption. 



Transmission over free space features some advan- 
tages compared to the use of optical fibers. The atmo- 
sphere has a high transmission window at a wavelength 
of around 770 nm (see Fig. ||) where photons can eas- 
ily be detected using commerc ial, hig h efficiency photon 
counting modules (see chapter HI C 1 ). Furthermore, the 
atmosphere is only weakly dispersive and essentially non- 
birefringent^ at these wavelengths. It will thus not alter 
the polarization state of a photon. 

However, there are some drawbacks concerning free- 
space links as well. In contrast to transmitting a signal 
in a guiding medium where the energy is "protected" and 
remains localized in a small region in space, the energy 
transmitted via a free-space link spreads out, leading to 
higher and varying transmission losses. In addition to 
loss of energy, ambient daylight, or even light from the 
moon at night, might couple into the receiver, leading 
to a higher error rate. However, the latter errors can be 
maintained at a reasonable level by using a combination 
of spectral filtering (< 1 nm interference filters), spatial 
filtering at the receiver and timing discrimination using 
a coincidence window of typically a few ns. Finally, it 
is clear that the performance of free-space systems de- 
pends dramatically on atmospheric conditions and is 
possible only with clear weather. 

Finally, let us briefly comment on the different sources 
leading to coupling losses. A first concern is the trans- 
mission of the signals through a turbulent medium, lead- 
ing to arrival-time jitter and beam wander (hence prob- 
lems with beam pointing). However, as the time-scales for 
atmospheric turbulences involved are rather small - 
around 0.1 to 0.01 s -, the time jitter due to a varia- 
tion of the effective refractive index can be compensated 
for by sending a reference pulse at a different wavelength 
at short time (around 100 ns) before each signal pulse. 
Since this reference pulse experiences the same atmo- 
spheric conditions as the subsequent one, the signal will 
arrive essentially without jitter in the time-window de- 
fined by the arrival of the reference pulse. In addition, 
the reference pulse can be refiected back to the transmit- 
ter and used to correct the direction of the laser beam by 
means of adaptive optics, hence to compensate for beam 
wander and to ensure good beam pointing 

Another issue is the beam divergence, hence increase of 
spot size at the receiver end caused by diffraction at the 
transmitter aperture. Using for example 20 cm diameter 
optics, the diffraction limited spot size after 300 km is 
of ~ 1 m. This effect can in principle be kept small 
taking advantage of larger optics. However, it can also 
be of advantage to have a spot size large compared to the 
receiver's aperture in order to ensure constant coupling 
in case of remaining beam wander. In their 2000 paper. 



^^In contrast to an optical fiber, air is not subject to stress, 
hence isotropic. 



17 



Gilbert and Hamrick provide a comprehensive discussion 
of free-space channels in the context of QC. 

C. Single-photon detection 

With the availability of pscudo single-photon and 
photon-pair sources, the success of quantum cryptogra- 
phy is essentially dependent on the possibility to detect 
single photons. In principle, this can be achieved using 
a variety of techniques, for instance photo- multipliers, 
avalanche-photodiodes, multichannel plates, supercon- 
ducting Josephson junctions. The ideal detector should 
fulfill the following requirements: 



• it should feature a high quantum detection effi- 
ciency over a large spectral range, 

• the probability of generating noise, that is a signal 
without a photon arriving, should be small, 

• to ensure a good timing resolution, the time be- 
tween detection of a photon and generation of an 

electrical signal should be as constant as possible, 
i.e. the time jitter should be small, 

• the recovery time (i.e. the deadtime) should be 
small to allow high data rates. 

In addition, it is important to keep the detectors 
handy. For instance, a detector which needs liquid he- 
lium or even nitrogen cooling would certainly render a 
commercial development difficult. 

Unfortunately, it turns out that it is impossible to meet 
all mentioned points at the same time. Today, the best 
choice is avalanche photodiodes (APD). Three different 
semiconductor materials are used: either Silicon, Ger- 
manium or Indium Gallium Arsenide, depending on the 
wavelengths. 

APDs are usually operated in so-called Geiger mode. 
In this mode, the applied voltage exceeds the breakdown 
voltage, leading an absorbed photon to trigger an elec- 
tron avalanche consisting of thousands of carriers. To re- 
set the diode, this macroscopic current must be quenched 

the emission of charges stopped and the diode recharged 
(Cova et al. 1996). Three main possibilities exist: 

• In passive- quenching circuits, a large (50-500 kfi) 
resistor is connected in series with the APD (see 
e.g. Brown et al. 1986). This causes a decrease of 
the voltage across the APD as soon as an avalanche 
starts. When it drops below breakdown voltage, 
the avalanche stops and the diode recharges. The 
recovery time of the diode is given by its capaci- 
tance and by the value of the quench resistor. The 
maximum count rate varies from some hundred kHz 
to a few MHz. 



• In active quenching circuits, the bias voltage is 
actively lowered below the breakdown voltage as 
soon as the leading edge of the avalanche current 
is detected (see e.g. Brown et al. 1987). This 
mode enables higher count rates compared to pas- 
sive quenching (up to tens of MHz), since the dead- 
time can be as short as some tens of ns. How- 
ever, the fast electronic feedback system renders 
active quenching circuits much more complicated 
than passive ones. 

• Finally, in gated mode operation, the bias volt- 
age is kept below the breakdown voltage and is 
raised above only for a short time when a photon 
is expected to arrive, typically a few ns. Maxi- 
mum count-rates similar to active quenching cir- 
cuits can be obtained using less complicated elec- 
tronics. Gated mode operation is commonly used in 
quantum cryptography based on faint laser pulses 
where the arrival-times of the photons are well 
known. However, it only applies if prior timing 
information is available. For 2-photon schemes, it 
is most often combined with one passive quenched 
detector, generating the trigger signal for the gated 
detector. 

Apart from Geiger mode. Brown et al. also investi- 
gated the performance of Silicon APDs operated in suh- 
Geiger mode (Brown et al. 1989). In this mode, the bias 
voltage is kept slightly smaller than the breakdown volt- 
age such that the multiplication factor - around 100 - 
already enables to detect an avalanche, however, is still 
small enough to prevent real breakdowns. Unfortunately, 
the single-photon counting performance in this mode is 
rather bad and initial efforts have not been continued, 
the major problem being the need for extremely low- noise 
amplifiers. 

An avalanche engendered by carriers created in the 
conduction band of the diode can not only be caused 
by an impinging photon, but also by unwanted causes. 
These might be thermal or band-to-band tunneling pro- 
cesses, or emissions from trapping levels populated while 
a current transits through the diode. The first two causes 
produce avalanches not due to photons and are referred 
to as darkcounts. The third process depends on previous 
avalanches and its effect is called afterpulses. Since the 
number of trapped charges decreases exponentially with 
time, these afterpulses can be limited by applying large 
deadtimes. Thus, there is a trade-off between high count 
rates and low afterpulses. The time-constant of the ex- 
ponential decrease of afterpulses shortens for higher tem- 
peratures of the diode. Unfortunately, operating APDs 
at higher temperature leads to a higher fraction of ther- 
mal noise, that is higher dark counts. There is thus again 
a tradeoff to be optimized. Finally, increasing the bias 
voltage leads to a larger quantum efficiency and a smaller 
time jitter, at the cost of an increase in the noise. 



18 



We thus see that the optimal operating parameters, 
voltage, temperature and dead time (i.e. maximum count 
rate) depend on the very application. Besides, since the 
relative magnitude of efficiency, thermal noise and af- 
ter pulses varies with the type of semiconductor material 
used, no general solution exists. In the two next para- 
graphs we briefly present the different types of APDs. 
The first paragraph focuses on Silicon APDs which en- 
able the detection of photons at wavelengths below l/zm, 
the second one comments on Germanium and on Indium 
Gallium Arsenide APDs for photon counting at telecom- 
munication wavelength. The different behaviour of the 
three types is shown in Fig. ^ Although the best fig- 
ure of merit for quantum cryptography is the ratio of 
dark count rate R per time unit to detection efficiency 77, 
we depict here the better-known noise equivalent power 
NEP which shows similar behaviour. The NEP is de- 
fined as the optical power required to measure a unity 
signal-to-noise ratio, and is given by 

NEP = —V2R. (25) 
V 

Here, h is Planck's constant and v is the frequency of the 
impinging photons. 

1. Photon counting at wavelengths below 1.1 /im 

Since the beginning of the 80's, a lot of work has 
been done to characterize Silicon APDs for single pho- 
ton counting (Ingerson 1983, Brown 1986, Brown 1987, 
Brown 1989, Spinelli 1996), and the performance of Si- 
APDs has continuously been improved. Since the first 
test of Bell inequality using Si-APDs by Shih and Al- 
ley in 1988, they have completely replaced the photo- 
multipliers used until then in the domain of fundamental 
quantum optics, known now as quantum communication. 
Today, quantum efhciencies of up to 76% (Kwiat et al. 
1993) and time jitter down to 28 ps (Cova et al. 1989) 
have been reported. Commercial single photon counting 
modules are available (EG&G SPCM-AQ-151), featuring 
quantum efficiencies of 70 % at a wavelength of 700 nm, a 
time jitter of around 300 psec and maximum count rates 
larger than 5 MHz. Temperatures of -20°C - sufficient to 
keep thermally generated dark counts as low as 50 Hz - 
can easily be achieved using Peltier cooling. Single pho- 
ton counters based on Silicon APDs thus offer an almost 
perfect solution for all applications where photons of a 
wavelength below 1 /xm can be used. Apart from funda- 
mental quantum optics, this includes quantum cryptog- 
raphy in free space and in optical fibers, however, due to 
high losses, the latter one only over short distances. 

2. Photon counting at telecommunication wavelengths 

When working in the second telecommunication win- 
dow (1.3/im), one has to take advantage of APDs made 



from Germanium or InGaAs/InP semiconductor materi- 
als. In the third window (1.55 /xm), the only option is 
InGaAs/InP APDs. 

Photon counting with Germanium APDs, although 
known for 30 years (Haecker, Groczinger and Pilkuhn 
1971), started to be used in the domain of quantum com- 
munication with the need of transmitting single photons 
over long distances using optical fibers, hence with the 
necessity to work at telecommunications wavelength. In 
1993, Townsend, Rarity and Tapster (Townsend et al. 
1993a) implemented a single photon interference scheme 
for quantum cryptography over a distance of 10 km, and 
in 1994, Tapster, Rarity and Owens (1994) demonstrated 
a violation of Bell inequalities over 4 km. These experi- 
ments where the first ones to take advantage of Ge APDs 
operated in passively quenched Geiger mode. At a tem- 
perature of 77K which can be achieved using either liquid 
nitrogen or Stirling engine cooling, typical quantum ef- 
ficiencies of about 15 % at dark count rates of 25 kHz 
can be found (Owens et al. 1994), and time jitter down 
to 100 ps have been observed (Lacaita et al. 1994) ~ a 
normal value being 200-300 ps. 

Traditionally, Germanium APDs have been imple- 
mented in the domain of long-distance quantum com- 
munication. However, this type of diode is currently get- 
ting replaced by InGaAs APDs and it is more and more 
difficult to find Germanium APDs on the market. Mo- 
tivated by pioneering research reported already in 1985 
(Levine, Bethea and Campbell 1985), latest research fo- 
cusses on InGaAs APDs, allowing single photon detection 
in both telecommunication windows. Starting with work 
by Zappa et al. (1994), InGaAs APDs as single photon 
counters have meanwhile been characterized thoroughly 
(Lacaita et al. 1996, Ribordy et al. 1998, Hiskett et al. 
2000, Karlsson et al. 1999, and Rarity et al. 2000, Stucki 
et al. 2001), and first implementations for quantum cryp- 
tography have been reported (Ribordy 1998, Bourennane 
et al. 1999, Bethune and Risk 2000, Hughes et al. 2000b, 
Ribordy et al. 2000). However, if operating Ge APDs 
is already inconvenient compared to Silicon APDs, the 
handiness of InGaAs APDs is even worse, the problem 
being a extremely high afterpulse fraction. Therefore, 
operation in passive quenching mode is impossible for 
applications where noise is crucial. In gated mode, In- 
GaAs APDs feature a better performance for single pho- 
ton counting at 1.3 /zm compared to Ge APDs. For in- 
stance, at a temperature of 77 K and a dark count prob- 
ability of 10~^ per 2.6 ns gate, quantum efficiencies of 
around 30% and of 17% have been reported for InGaAs 
and Ge APDs, respectively (Ribordy et al. 1998), while 
the time jitter of both devices is comparable. If working 
at a wavelength of 1.55 /im, the temperature has to be 
increased for single photon detection. At 173 K and a 
dark count rate of now 10"'', a quantum efficiency of 6% 
can still be observed using InGaAs/InP devices while the 
same figure for Germanium APDs is close to zero. 

To date, no industrial effort has been done to opti- 
mize APDs operating at telecommunication wavelength 



19 



for photon counting, and their performance is still far 
behind the one of Silicon APDs^. However, there is 
no fundamental reasons why photon counting at wave- 
lengths above 1 fj,m should be more delicate than below, 
except that the photons are less energetic. The real rea- 
sons for the lack of commercial products are, first, that 
Silicon, the most common semiconductor, is not sensitive 
(the band gap is too large), and secondly that the mar- 
ket for photon counting is not yet mature. But, without 
great risk, one can forecast that good commercial pho- 
ton counters will become available in the near future, and 
that this will have a major impact on quantum cryptog- 
raphy. 



D. Quantum random number generators 



In the BB84 protocol Alice has to choose randomly 
between four different states and Bob between two bases. 
The limited random number generation rate may force 
Alice to produce her numbers in advance and store them, 
opening a security weakness. On Bob's side the random 
bit creation rate can be lower since, in principle, the basis 
must be changed only after a photon has been detected, 
which normally happens at rates below 1 MHz. However, 
one has to make sure that this doesn't give the spy a n 
opportunity for a Trojan horse attack (see section VI K| )! 

An elegant configuration integrating the random num- 
ber generator into the QC system consists in using a pas- 
sive choice of bases, as discussed in chapter ^ (Muller et 
al. 1993). However, the problem of detector induced 
correlation remains. 



The key used in the one-time-pad must be secret and 
used only once. Consequently, it must be as long as the 
message and must be perfectly random. The later point 
proves to be a delicate and interesting one. Computers 
are deterministic systems that cannot create truly ran- 
dom numbers. But all secure cryptosystems, both classi- 
cal and quantum ones, require truly random numbers^! 
Hence, the random numbers must be created by a ran- 
dom physical process. Moreover, to make sure that the 
random process is not merely looking random with some 
hidden deterministic pattern, it is necessary that it is 
completely understood. It is thus of interest to imple- 
ment a simple process in order to gain confidence in its 
proper operation. 

A natural solution is to rely on the random choice of 
a single photon at a beamsplitter^ (Rarity et al. 1994). 
In this case the randomness is in principle guaranteed by 
the laws of quantum mechanics, though, one still has to 
be very careful not to introduce any experimental arte- 
fact that could correlate adjacent bits. Different experi- 
mental realizations have been demonstrated (Hildebrand 
2001, Stefanov et al. 2000, Jennewein et al. 2000a) 
and prototypes are commercially available (www.gap- 
optique.unige.ch). One particular problem is the dead- 
time of the detectors, that may introduce a strong an- 
ticorrelation between neighboring bits. Similarly, after- 
pulses may provoke a correlation. These detector-related 
effects increase with higher pulse rates, limiting the bit 
rate of quantum number generator to some MHz. 



The first commercial photon counter at telecommunication 
wavelengths came out only this year (Hamamatsu photomul- 
tiplier R5509-72). However, the efficiency does not yet allow 
an implementation for quantum cryptography. 

^'^The pin number that the bank attributes to your credit 
card must be random. If not, someone knows it! 

Strictly speaking, the choice is made only once the photons 
are detected at one of the outports. 



E. Quantum repeaters 

Todays fiber based QC systems are limited to tens of 
kilometers. This is due to the combination of fiber losses 
and detectors' noise. The losses by themselves do only 
reduce the bit rate (exponentially with the distance), but 
with perfect detectors the distance would not be limited. 
However, because of the dark counts, each time a pho- 
ton is lost there is a chance that a dark count produces 
an error. Hence, when the probability of a dark count 
becomes comparable to the probability that a photon 
is correctly detected, the signal to noise ratio tends to 
(more precisely the mutual information I [a, (3) tends 
to a lower boundp^) . In this section we briefly explain 
how the use of entangled photons and of entanglement 
swapping (Zukowski et al. 1993) could open ways to 
extend the achievable distances in a foreseeable future 
(some prior knowledge of entanglement swapping is as- 
sumed). Let us denote tunk the transmission coefficient 
(i.e. tii„fc=probability that a photon sent by Alice gets 
to one of Bob's detectors), ry the detectors' efficiency and 
Pdark the dark count probability per time bin. With a 
perfect single photon source, the probability Praw of a 
correct qubit detection reads: Praw = tunkV: while the 
probability Pdet of an error is: Pdet = (1 - tiink'n)Pdark- 
Accordingly, the QBER^p— ^^pp— and the normalized 

net rate reads: pnet = [Praw + Pdet) ■ fct{QBER) where 
the function fct denotes the fraction of bits remaining 
after error correction and privacy amplification. For the 
sake of illustration we simply assume a linear dependence 
dropping to zero for QBER> 15% (This simplification 
does not affect the qualitative results of this section. 
For a more precise calculation, see Liitkenhaus 2000.): 



The absolute lower bound is 0, but dependening on the 
assumed eavesdropping strategy, Eve could take advantage of 
the losses. In the latter case, the lower bound is given by her 
mutual information I{a,e). 



20 



fct{QBER) = 1 - ^^^y"' . The corresponding net rate 
Pnet is displayed on Fig. Note that it drops to zero 
near 90 km. 

Let us now assume that instead of a perfect single- 
photon source, Alice and Bob use a (perfect) 2-photon 
source set in the middle of their quantum channel. Each 
photon has then a probability y/tunk to get to a detec- 
tor. The probability of a correct joined detection is thus 
if, while an error occurs with probabihty 

Pdet = (1 - ^tUnkVYv^^ark + ^VtUnkVi^ " ^/tlinkV)Pdark 

(both photon lost and 2 dark counts, or one photon 
lost and one dark count). This can be conveniently 

rewritten as: Praw = Uink'n" and Pdet = {t]ink'^ + (1 - 

^]ink'^)PdarkT " tiink'n"' Valid for any division of the link 
into n equal-length sections and n detectors. Note that 
the measurements performed at the nodes between Alice 
and Bob do transmit (swap) the entanglement to the twin 
photons, without revealing any information about the 
qubit (these measurements are called Bell-measurements 
and are the core of entanglement swapping and of quan- 
tum teleportation) . The corresponding net rates are dis- 
played in Fig. Clearly, the rates for short distances 
are smaller when several detectors are used, because of 
their limited efficiencies (here we assume rj = 10%). But 
the distance before the net rate drops to zero is extended 
to longer distances! Intuitively, this can be understood 
as follows. Let's consider that a logical qubit propagates 
from Alice to Bob (although some photons propagate in 
the opposite direction). Then, each 2-photon source and 
each Bell-measurement acts on this logical qubit as a kind 
of QND measurement: they test whether the logical qubit 
is still there! In this way. Bob activates his detectors only 
when there is a large chance that the photon gets 
to his detectors. 

Note that if in addition to the detectors' noise there 
is noise due to decoherence, then the above idea can be 
extended, using entanglement purification. This is essen- 
tially the idea of quantum repeaters (Briegel et al. 1998, 
Dur et al. 1999). 



IV. EXPERIMENTAL QUANTUM 
CRYPTOGRAPHY WITH FAINT LASER 
PULSES 

Experimental quantum key distribution was demon- 
strated for the first time in 1989 (it was published only 
in 1992 by Bennett et al. 1992a). Since then, tremen- 
dous progress has been made. Today, several groups have 
shown that quantum key distribution is possible, even 
outside the laboratory. In principle, any two-level quan- 
tum system could be used to implement QC. In practice, 
all implementations have relied on photons. The reason 
is that their interaction with the environment, also called 
decoherence, can be controlled and moderated. In addi- 
tion, researchers can benefit from all the tools developed 
in the past two decades for optical telecommunications. 
It is unlikely that other carriers will be employed in the 
foreseeable future. 

Comparing different QC-setups is a difficult task, since 
several criteria must be taken into account. What mat- 
ters in the end is of course the rate of corrected secret bits 
(distilled bit rate, Rdist) that can be transmitted and the 
transmission distance. One can already note that with 
present and near future technology, it will probably not 
be possible to achieve rates of the order of gigahertz, 
nowadays common with conventional optical communi- 
cation systems (in their comprehensive paper published 
in 2000, Gilbert and Hamrick discuss practical methods 
to achieve high bit rate QC). This implies that encryp- 
tion with a key exchanged through QC is to be limited 
to highly confidential information. While the determina- 
tion of the transmission distance and rate of detection 
(the raw bit rate, Rraiu) is straightforward, estimating 
the net rate is rather difficult. Although in principle er- 
rors in the bit sequence follow only from tampering by 
a malevolent eavesdropper, the situation is rather dif- 
ferent in reality. Discrepancies in the keys of Alice and 
Bob also always happen because of experimental imper- 
fections. The error rate (here called quantum bit error 
rate, or QBER) can be easily determined. Similarly, the 
error correction procedure is rather simple. Error cor- 
rection leads to a first reduction of the key rate that de- 
pends strongly on the QBER. The real problem consist 
in estimating the information obtained by Eve, a quan- 
tity necessary for privacy amplification. It does not only 
depend on the QBER, but also on other factors, like the 
photon number statistics of the source, or the way the 
choice of the measurement basis is made. Moreover in 
a pragmatic approach, one might also accept restrictions 
on Eve's technology, limiting her strategies and there- 
fore also the information she can obtain per error she 
introduces. Since the efficiency of privacy amplification 
rapidly decreases when the QBER increases, the distilled 
bit rate depends dramatically on Eve's information and 
hence on the assumptions made. One can define as the 
maximum transmission distance, the distance where the 
distilled rate reaches zero. This can give an idea of the 



21 



difficulty to evaluate a QC system from a physical point 
of view. 

Technological aspects must also be taken into account. 
In this article we do not focus on all the published per- 
formances (in particular not on the key rates), which 
strongly depend on present technology and the financial 
possibilities of the research teams having carried out the 
experiments. On the contrary, we try to weight the in- 
trinsic technological difhculties associated with each set- 
up and to anticipate certain technological advances. And 
last but not least the cost of the realization of a prototype 
should also be considered. 

In this chapter, we first deduce a general formula for 
the QBER and consider its impact on the distilled rate. 
We then review faint pulses implementations. We class 
them according to the property used to encode the qubits 
value and follow a rough chronological order. Finally, we 
assess the possibility to adopt the various set-ups for the 
realization of an industrial prototype. Systems based on 
entangled photon pairs are presented in the next chapter. 



A. Quantum Bit Error Rate 

The QBER is defined as the number of wrong bits to 
the total number of received bits^ and is normally in 
the order of a few percent. In the following we will use 
it expressed as a function of rates: 



QBER 



Rf. 



Nright + -^u 



R 



sift 



Re 



R 



sift 

(26) 



where the sifted key corresponds to the cases in which 
Alice and Bob made compatible choices of bases, hence 
its rate is half that of the raw key. 

The raw rate is essentially the product of the pulse 
rate frep, the mean number of photon per pulse ^, the 
probability ^htiA; of a photon to arrive at the analyzer and 
the probability 77 of the photon being detected: 



R 



1 



sift 



-Rr 



1 



7 9 frep ^link ^ 



(27) 



The factor q (q<l, typically 1 or i) must be introduced 
for some phase-coding setups in order to correct for non- 
inte rferin g path combinations (see, e.g., sections 
and[VB|) 



IV C 



One can distinguish three different contributions to 
Rerror- Thc first One arises because of photons ending 
up in the wrong detector, due to unperfect interference 
or polarization contrast. The rate Hopt is given by the 



^°In the foUowin we are considering systems implementing 
the BB84 protocol. For other protocols some of the formulas 
have to be slightly adapted. 



product of the sifted key rate and the probability Popt of 
a photon going in the wrong detector: 

Ropt — Rsift Popt = 2? frep A* tlink Popt V (28) 

This contribution can be considered, for a given set-up, 
as an intrinsic error rate indicating the suitability to use 
it for QC. We will discuss it below in the case of each 
particular system. 

The second contribution, Rdet, arises from the detector 
dark counts (or from remaining environmental stray light 
in free space setups). This rate is independent of the bit 



raty |. Of course, only dark counts falling in a short time 
window when a photon is expected give rise to errors. 



R - iif 



(29) 



where Pdark is the probability of registering a dark count 
per time- window and per detector, and n is the number of 
detectors. The two ^-factors are related to the fact that 
a dark count has a 50% chance to happen with Alice and 
Bob having chosen incompatible bases (thus eliminated 
during sifting) and a 50% chance to arise in the correct 
detector. 

Finally error counts can arise from uncorrelated pho- 
tons, because of imperfect photon sources: 



1 1 
— J 

2 2^ 



Paccfrep^link^^ 



(30) 



This factor appears only in systems based on entangled 
photons, where the photons belonging to different pairs 
but arriving in the same time window are not necessarily 
in the same state. The quantity pacc is the probability to 
find a second pair within the time window, knowing that 
a first one was created^. 

The QBER can now be expressed as follows: 



QBER = 



R. 



opt 



Rde 



Rn 



Rsift 

Pdark ' ^ 



Pa 



tlink ■ T] - 2 ■ q - fj, 2 ■ q - ij, 

= QBERopt + QBERdet + QBERa, 



(31) 
(32) 
(33) 



We analyze now these three contributions. The first 
one, QBERopt, is independent on the transmission dis- 
tance (it is independent of tunk)- It can be considered as 
a measure of the optical quality of the setup, depending 
only on the polarisation or interference fringe contrast. 



■^^This is true provided that afterpulses (see section [II C) 
do not contribute to the dark counts. 

■^^Note that a passive choice of measurement basis implies 
that four detectors (or two detectors during two time win- 
dows) are activated for every pulse, leading thus to a doubling 

of Rdet and Race 



22 



The technical effort needed to obtain, and more impor- 
tant, to maintain a given QBERopt is an important crite- 
rion for evaluating different QC-setups. In polarization 
based systems, it's rather simple to achieve a polarisa- 
tion contrast of 100:1, corresponding to a QBERopt of 
1%. In fiber based QC, the problem is to maintain this 
value in spite of polarisation fluctuations and dcpolarisa- 
tion in the fiber link. For phase coding setups, QBERopt 
and the interference visibility are related by 



QBERopt ~ 



1 - V 



(34) 



A visibility of 98% translates thus into an optical error 
rate of 1%. Such a value implies the use of well aligned 
and stable interferometers. In bulk optics perfect mode 
overlap is difficult to achieve, but the polarization is sta- 
ble. In single-mode fiber interferometers, on the contrary, 
perfect mode overlap is automatically achieved, but the 
polarisation must be controlled and chromatic dispersion 
can constitute a problem. 

The second contribution, QBERdet, increases with dis- 
tance, since the darkcount rate remains constant while 
the bit rate goes down like tunk- It depends entirely on 
the ratio of the dark count rate to the quantum efficiency. 
At present, good single-photon detectors are not commer- 
cially available for telecommunication wavelengths. The 
span of QC is not limited by decoherence. As QBERopt 
is essentially independent of the fiber length, it is the 
detector noise that limits the transmission distance. 

Finally, the QBERacc contribution is present only in 
some 2-photon schemes in which multi-photon pulses are 
processed in such a way that they do not neces sarily 
enco de th e same bit value (see e.g. paragraphs VB 1 
and VB2). Indeed, although in all systems there is a 



probability for multi-photon pulses, in most these con- 
trib ute on ly to the information available to Eve (see sec- 
and not to the QBER. But for implementa- 



VI H 



tion 

tions featuring passive choice by each photon, the multi- 
photon pulses do not contribute to Eve's information but 
to the error rate (see section VIJ). 

Now, let us calculate the useful bit rate as a func- 
tion of the distance. KsiH and QBER are given as a 
function of tunk in eq. ( |27| ) and ( p2| ) respectively. The 
fiber link transmission decreases exponentially with the 
length. The fraction of bits lost due to error correc- 
tion and privacy amplification is a function of QBER 
and depends on Eve's strategy. The number of remain- 
ing bits Rnet is given by the sifted key rate multiplied 
by the difference of the Alice-Bob mutual Shannon infor- 
mation I{a, (3) and Eve's maximal Shannon information 
/"°^(a,e): 



R„ 



R 



sift 



/(a,/3) 



= (a. 



(35) 



The latter are calculated here according to eq. ( |64| ) and 
( |66| ) (section VIE), considering only individual attacks 
and no multiphoton pulses. We obtain R„et (useful bit 



rate after error correction and privacy amplification) for 
different wavelengths as shown in Fig. |l^. There is first 
an exponential decrease, then, due to error correction 
and privacy amplification, the bit rates fall rapidly down 
to zero. This is most evident comparing the curves 1550 
nm and 1550 nm "single" since the latter features 10 
times less QBER. One can see that the maximum range 
is about 100 km. In practice it is closer to 50 km, due 
to non-ideal error correction and privacy amplification, 
multiphoton pulses and other optical losses not consid- 
ered here. Finally, let us mention that typical key cre- 
ation rates of the order of a thousand bits per second over 
distances of a few tens of kilometers have been demon- 
strated experimentally (see, for example, Ribordy et al. 
2000 or Townsend 1998b). 



B. Polarization coding 

Encoding the qubits in the polarization of photons is 
a natural solution. The first demonstration of QC by 
Charles Bennett and his coworkers (Bennett et al. 1992a) 
made use of this choice. They realized a system where 
Alice and Bob exchanged faint light pulses produced by 
a LED and containing less than one photon on average 
over a distance of 30 cm in air. In spite of the small scale 
of this experiment, it had an important impact on the 
community in the sense that it showed that it was not 
unreasonable to use single photons instead of classical 
pulses for encoding bits. 

A typical system for QC with the BB84 four states 
protocol using the polarization of photons is shown in 
Fig. |l^. Alice's system consists of four laser diodes. They 
emit short classical photon pulses (~ Ins) polarized at 
-45°, 0°, -h45°, and 90°. For a given qubit, a single 
diode is triggered. The pulses are then attenuated by a 
set of filters to reduce the average number of photons well 
below 1, and sent along the quantum channel to Alice. 

It is essential that the pulses remain polarized for Bob 
to be able to extract the i nforma tion encoded by Alice. 
As discussed in paragraph [II B 2 , polarization mode dis- 
persion may depolarize the photons, provided the delay 
it introduces between both polarization modes is larger 
than the coherence time. This sets a constraint on the 
type of lasers used by Alice. 

When reaching Bob, the pulses are extracted from the 
fiber. They travel through a set of waveplates used to re- 
cover the initial polarization states by compensating the 
transformation induced by the optical fiber (paragraph 
IIIB 2 ). The pulses reach then a symmetric beamsplit- 
ter, implementing the basis choice. Transmitted photons 
are analyzed in the vertical-horizontal basis with a po- 
larizing beamsplitter and two photon counting detectors. 
The polarization state of the reflected photons is flrst ro- 
tated with a waveplate by 45° (-45° to 0°). The photons 
are then analyzed with a second set of polarizing beam- 
splitter and photon counting detectors. This implements 



23 



the diagonal basis. For illustration, let us follow a photon 
polarized at +45°, we see that its state of polarization is 
arbitrarily transformed in the optical fiber. At Bob's end, 
the polarization controller must be set to bring it back 
to +45°. If it chooses the output of the beamsplitter 
corresponding to the vertical-horizontal basis, it will ex- 
perience equal reflection and transmission probability at 
the polarizing beamsplittter, yielding a random outcome. 
On the other hand, if it chooses the diagonal basis, its 
state will be rotated to 90°. The polarizing beamsplit- 
ter will then reflect it with unit probability, yielding a 
deterministic outcome. 

Instead of Alice using four lasers and Bob two polar- 
izing beamsplitters, it is also possible to implement this 
system with active polarization modulators such as Pock- 
els cells. For emission, the modulator is randomly acti- 
vated for each pulse to rotate the state of polarization 
to one of the four states, while, at the receiver, it ran- 
domly rotates half of the incoming pulses by 45°. It is 
also possible to realize the whole system with fiber optics 
components. 

Antoine MuUer and his coworkers at the University of 
Geneva used such a system to perform QC experiments 
over optical fibers (1993, see also Breguet et al. 1994). 
They created a key over a distance of 1100 meters with 
photons at 800 nm. In order to increase the transmission 
distance, they repeated the experiment with photons at 
ISOOnm (Muller et al.l995 and 1996) and created a key 
over a distance of 23 kilometers. An interesting feature 
of this experiment is that the quantum channel connect- 
ing Alice and Bob consisted in an optical fiber part of an 
installed cable, used by the telecommunication company 
Swisscom for carrying phone conversations. It runs be- 
tween the Swiss cities of Geneva and Nyon, under Lake 
Geneva (Fig. [l^). This was the first time QC was per- 
formed outside of a physics laboratory. It had a strong 
impact on the interest of the wider public for the new 
field of quantum communication. 

These two experiments highlighted the fact that the 
polarization transformation induced by a long optical 
fiber was unstable over time. Indeed, when monitoring 
the QBER of their system, Muller noticed that, although 
it remained stable and low for some time (of the order of 
several minutes), it would suddenly increase after a while, 
indicating a modification of the polarization transforma- 
tion in the fiber. This implies that a real fiber based QC 
system requires active alignment to compensate for this 
evolution. Although not impossible, such a procedure is 
certainly difficult. James Franson did indeed implement 
an active feedback aligment system ( 1995), but did not 
pursue along this direction. It is interesting to note that 
replacing standard fibers with polarization maintaining 
fibers does not solve the problem. The reason is that, in 
spite of their name, these fibers do not maintain polar- 
ization, as explained in paragraph III B 2 . 

Recently, Paul Townsend of BT Laboratories also in- 
vestigated such polarization encoding systems for QC on 
short-span finks up to 10 kilometers (1998a and 1998b) 



with photons at 800nm. It is interesting to note that, 
although he used standard telecommunications fibers 
which can support more than one spatial mode at this 
wavelength, he was able to ensure single-mode propa- 
gation by carefully controlling the launching conditions. 
Because of the problem discussed above, polarization 
coding does not seem to be the best choice for QC in 
optical fibers. Nevertheless, this problem is drastically 
improved when considering free space key exchange, as 
the air has essentially no birefringence at all (see section 
iVEl). 



C. Phase coding 

The idea of encoding the value of qubits in the phase 
of photons was first mentioned by Bennett in the paper 
where he introduced the two-states protocol (1992). It is 
indeed a very natural choice for optics specialists. State 
preparation and analysis are then performed with inter- 
ferometers, that can be realized with single-mode optical 
fibers components. 

Fig. 1^ presents an optical fiber version of a Mach- 
Zehnder interferometer. It is made out of two symmetric 
couplers - the equivalent of beamsplitters - connected 
to each other, with one phase modulator in each arm. 
One can inject light in the set-up using a continuous and 
classical source, and monitor the intensity at the output 
ports. Provided that the coherence length of the light 
used is larger than the path mismatch in the interferom- 
eters, interference fringes can be recorded. Taking into 
account the 7r/2-phase shift experienced upon reflection 
at a beamsplitter, the effect of the phase modulators {(t)A 
and 4)b) and the path length difference (AL), the inten- 
sity in the output port labeled "0" is given by: 



(l)A-(t)B + kAL\ 



(36) 



where k is the wave number and / the intensity of the 
source. If the phase term is equal to 7r/2 + m: where n 
is an integer, destructive interference is obtained. There- 
fore the intensity registered in port "0" reaches a mini- 
mum and all the light exits in port "1" . When the phase 
term is equal to nn, the situation is reversed: construc- 
tive interference is obtained in port "0" , while the inten- 
sity in port "1" goes to a minimum. With intermediate 
phase settings, light can be recorded in both ports. This 
device acts like an optical switch. It is essential to keep 
the path difference stable in order to record stationary 
interferences. 

Although we discussed the behavior of this interferom- 
eter for classical light, it works exactly the same when a 
single photon is injected. The probability to detect the 
photon in one output port can be varied by changing the 
phase. It is the fiber optic version of Young's slits exper- 
iment, where the arms of the interferometer replace the 
apertures. 



24 



This interferometer combined with a single photon 
source and photon counting detectors can be used for 
QC. Ahce's set-up consists of the source, the first coupler 
and the first phase modulator, while Bob takes the sec- 
ond modulator and coupler, as well as the detectors. Let 
us consider the implementation of the four-states BB84 
protocol. On the one hand, Alice can apply one of four 
phase shifts (0, 7r/2, tt, 37r/2) to encode a bit value. She 
associates and 7r/2 to bit 0, and tt and 37r/2 to bit 
1. On the other hand, Bob performs a basis choice by 
applying randomly a phase shift of either or 7r/2, and 
he associates the detector connected to the output port 
"0" to a bit value of 0, and the detector connected to 
the port "1" to 1. When the difference of their phase is 
equal to or tt, Alice and Bob are using compatible bases 
and they obtain deterministic results. In such cases, Al- 
ice can infer from the phase shift she applied, the output 
port chosen by the photon at Bob's end and hence the 
bit value he registered. Bob, on his side, deduces from 
the output port chosen by the photon, the phase that 
Alice selected. When the phase difference equals 7r/2 or 
37r/2, the bases are incompatible and the photon chooses 
randomly which port it takes at Bob's coupler. This is 
summarized in Table 1. We must stress that it is essen- 
tial with this scheme to keep the path difference stable 
during a key exchange session. It should not change by 
more than a fraction of a wavelength of the photons. A 
drift of the length of one arm would indeed change the 
phase relation between Alice and Bob, and induce errors 
in their bit sequence. 



Ahce 


Bob 


Bit value 






ipA - 4>B 


Bit value 























7r/2 


37r/2 


? 


1 


TT 





TT 


1 


1 


TT 


7r/2 


n/2 


? 





7r/2 





7r/2 


? 





7r/2 


7r/2 








1 


37r/2 





37r/2 


? 


1 


37r/2 


7r/2 


TT 


1 



Table 1: Implementation of the BB84 four-states pro- 
tocol with phase encoding. 

It is interesting to note that encoding qubits with 2- 
paths interferometers is formally isomorphic to polar- 
ization encoding. The two arms correspond to a nat- 
ural basis, and the weights cj of each qubit state ip = 
(cie"*"^/^, 026**^/^) are determined by the couphng ratio 
of the first beam splitter while the relative phase (j) is in- 
troduced in the interferometer. The Poincare sphere rep- 
resentation, which applies to all two-levels quantum sys- 
tems, can also be used to represent phase-coding states. 
In this case, the azimuth angle represents the relative 
phase between the light having propagated along the two 
arms. The elevation corresponds to the coupling ratio of 



the first beamsplitter. States produced by a switch are 
on the poles, while those resulting from the use of a 50/50 
beamsplitter lie on the equator. Figure |l5| illustrates this 
analogy. Consequently, all polarization schemes can also 
be implemented using phase coding. Similarly, every cod- 
ing using 2-path interferometers can be realized using po- 
larization. However, in practice one choice is often more 
convenient than the other, depending on circumstances 
like the nature of the quantum channel^. 

1. The double Mach-Zehnder implementation 

Although the scheme presented in the previous para- 
graph works perfectly well on an optical table, it is im- 
possible to keep the path difference stable when Alice and 
Bob are separated by more than a few meters. As men- 
tioned above, the relative length of the arms should not 
change by more than a fraction of a wavelength. Consid- 
ering a separation between Alice and Bob of 1 kilometer 
for example, it is clear that it is not possible to prevent 
path difference changes smaller than l/im caused by en- 
vironmental variations. In his 1992 letter, Bennett also 
showed how to get round this problem. He suggested to 
use two unbalanced Mach-Zehnder interferometers con- 
nected in series by a single optical fiber (see Fig. |6|), 
both Alice and Bob being equipped with one. When 
monitoring counts as a function of the time since the 
emission of the photons. Bob obtains three peaks (see 
the inset in Fig. |l^). The first one corresponds to the 
cases where the photons chose the short path both in 
Alice's and in Bob's interferometers, while the last one 
corresponds to photons taking twice the long paths. Fi- 
nally, the central peak corresponds to photons choosing 
the short path in Alice's interferometer and the long one 
in Bob's, and to the opposite. If these two processes are 
indistinguishable, they produce interference. A timing 
window can be used to discriminate between interfering 
and non-interfering events. Disregarding the latter, it is 
then possible for Alice and Bob to exchange a key. 

The advantage of this set-up is that both "halves" of 
the photon travel in the same optical fiber. They experi- 
ence thus the same optical length in the environmentally 
sensitive part of the system, provided that the variations 
in the fiber are slower than their temporal separations, 
determined by the interferometer's imbalance (« 5ns). 
This condition is much less difficult to fulfill. In order to 
obtain a good interference visibility, and hence a low er- 
ror rate, the imbalancements of the interferometers must 



Note, in addition, that using many-path interferometers 
opens up the possibility to code quantum systems of dimen- 
sions larger than 2, like qutrits, ququarts, etc. (Bechmann- 
Pasquinucci and Tittel 2000, Bechmann-Pasquinucci and 
Peres 2000, Bourennane et al. 2001a). 



25 



be equal within a fraction of the coherence time of the 
photons. This imphes that the path differences must be 
matched within a few miUimeters, which does not con- 
stitute a problem. Besides, the imbalancement must be 
chosen so that it is possible to clearly distinguish the 
three temporal peaks and thus discriminate interfering 
from non-interfering events. It must then typically be 
larger than the pulse length and than the timing jitter 
of the photon counting detectors. In practice, the second 
condition is the most stringent one. Assuming a time 
jitter of the order of 500ps, an imbalancement of at least 
1.5ns keeps the overlap between the peaks low. 

The main difficulty associated with this QC scheme is 
that the imbalancements of Alice's and Bob's interferom- 
eters must be kept stable within a fraction of the wave- 
length of the photons during a key exchange to maintain 
correct phase relations. This implies that the interfer- 
ometers must lie in containers whose temperature is sta- 
bilized. In addition, for long key exchanges an active 
system is necessary to compensate the drifts^. Finally, 
in order to ensure the indistinguishability of both inter- 
fering processes, one must make sure that in each inter- 
ferometer the polarization transformation induced by the 
short path is the same as the one induced by the long one. 
Alice as much as Bob must then use a polarization con- 
troller to fulfill this condition. However, the polarization 
transformation in short optical fibers whose temperature 
is kept stable, and which do not experience strains, is 
rather stable. This adjustment does thus not need to be 
repeated frequently. 

Paul Tapster and John Rarity from DERA working 
with Paul Townsend were the first ones to test this sys- 
tem over a fiber optic spool of 10 kilometers (1993a and 
1993b). Townsend later improved the interferometer by 
replacing Bob's input coupler by a polarization splitter 
to suppress the lateral non-interfering peaks (1994). In 
this case, it is unfortunately again necessary to align the 
polarization state of the photons at Bob's, in addition to 
the stabilization of the interferometers imbalancement. 
He later thoroughly investigated key exchange with phase 
coding and improved the transmission distance (Maraud 
and Townsend 1995, Townsend 1998b). He also tested 
the possibility to multiplex at two different wavelengths 
a quantum channel with conventional data transmission 
over a single optical fiber (Townsend 1997a). Richard 
Hughes and his co-workers from Los Alamos National 
Laboratory also extensively tested such an interferome- 



^*Polarization coding requires the optimization of three pa- 
rameters (three parameters are necessary for unitary polar- 
ization control). In comparison, phase coding requires opti- 
mization of only one parameter. This is possible because the 
coupling ratios of the beamsplitters are fixed. Both solutions 
would be equivalent if one could limit the polarization evolu- 
tion to rotations of the elliptic states, without changes in the 
ellipticity. 



ter (1996 and 2000b), up to distances of 48 km of installed 
optical fiber 0. 



2. The "Plug-&-Play" systems 

As discussed in the two previous sections, both polar- 
ization and phase coding require active compensation of 
optical path fluctuations. A simple approach would be 
to alternate between adjustment periods, where pulses 
containing large numbers of photons are exchanged be- 
tween Alice and Bob to adjust the compensating system 
correcting for slow drifts in phase or polarization, and 
qubits transmission periods, where the number of pho- 
tons is reduced to a quantum level. 

An approach invented in 1989 by Martinelli, then at 
CISE Tecnologie Innovative in Milano, allows to auto- 
matically and passively compensate all polarization fluc- 
tuations in an optical fiber (see also Martinelli, 1992). 
Let us consider first what happens to the state of po- 
larization of a pulse of light travelling through an op- 
tical fiber, before being reflected by a Faraday mirror 
- a mirror with a j Faraday rotator^ - in front, and 
coming back. We must first define a convenient descrip- 
tion of the change in polarization of light refiected by 
a mirror under perpendicular incidence. Let the mirror 
be in the x-y plane and z be the optical axis. Clearly, 
all linear polarization states are unchanged by a reflec- 
tion. But right-handed circular polarization is changed 
into left-handed and vice-versa. Actually, after a reflec- 
tion the rotation continues in the same sense, but since 
the propagation direction is reversed, right-handed and 
left-handed are swapped. The same holds for elliptic po- 
larization states: the axes of the ellipse are unchanged, 



■^^Note that in this experiment Hughes and his coworkers 
used an unusually high mean number of photons per pulse 
(They used a mean photon number of approximately 0.6 in 
the central interference peak, corresponding to a p « 1.2 in 
the pulses leaving Alice. The latter value is the relevant one 
for an eavesdropping analysis, since Eve could use an inter- 
ferometer - conceivable with present technology - where the 
first coupler is replaced by an optical switch and which allows 
her to exploit all the photons sent by Alice.). In the light of 
this high n and of the optical losses (22.8 dB), one may argue 
that this implementation was not secure, even when taking 
into acco unt only so-called realistic eavesdropping strategies 
(see VII). Finally, it is possible to estimate the results that 
other groups would have obtained if they had used a similar 
value of fj.. One then finds that key distribution distances 
of the same order could have been achieved. This illustrates 
that the distance is a somewhat arbitrary figure of merit for 
a QC system. 

■^^These components, commercially available, are extremely 
compact and convenient when using telecommunications 
wavelengths, which is not true for other wavelengths. 



26 



but right and left are exchanged. Accordingly, on the 
Poincare sphere the polarization transformation upon re- 
flection is described by a symmetry through the equa- 
torial plane: the north and south hemispheres are ex- 
changed: m — > {nil, 1^2, —rris). Or in terms of the qubit 
state vector: 



T 



^2 



(37) 



This is a simple representation, but some attention has 
to be paid. Indeed this transformation is not a unitary 
one! Actually, the above description switches from a 
right-handed reference frame XYZ to a left handed one 
XYZ, where Z = —Z. There is nothing wrong in doing 
so and this explains the non-unitary polarization trans- 
formation]^ Note that other descriptions are possible, 
but they require to artificially break the XY symmetry. 
The main reason for choosing this particular transforma- 
tion is that the description of the polarization evolution 
in the optical fiber before and after the reflection is then 
straightforward. Indeed, let U = e-'^^Bai/2 ^^Q^QYibe this 
evolution under the effect of some modal birefringence 
i3 in a flber section of length £ [a is the vector whose 
components are the Pauli matrices). Then, the evolution 
after reflection is simply described by the inverse opera- 



tor [/- 



JujB3i/2 



Now that we have a description for 



the mirror, let us add the Faraday rotator. It produces 
a ^ rotation of the Poincare sphere around the north- 
south axis: F — e"*'^'^^/'* (see Fig. |l^). Because the 
Faraday effect is non-reciprocal (remember that it is due 
to a magnetic field which can be thought of as produced 
by a spiraling electric current), the direction of rotation 
around the north-south axis is independent of the light 
propagation direction. Accordingly, after reflection on 
the mirror, the second passage through the Faraday ro- 
tator rotates the polarization in the same direction (see 
again Fig. |l^) and is described by the same operator F. 
Consequently, the total effect of a Faraday mirror is to 
change any incoming polarization state into its orthogo- 
nal state m —rn. This is best seen on Fig. ^ but can 
also be expressed mathematically: 



FTF 



r2 



(38) 



Finally, the whole optical fiber can be modelled as con- 
sisting of a discrete number of birefringent elements. If 



^'^Note that this transformation is positive, but not com- 
pletely positive. It is thus closely connected to the partial 
transposition map (Peres 1996) . If several photons are entan- 
gled, then it is crucial to describe all of them in frames with 
the same chirality. Actually that this is necessary is the con- 
tent of the Peres-Horodecki entanglement witness (Horodecki 
et al. 1996). 



there are N such elements in front of the Faraday mirror, 
the change in polarization during a round trip can be 
expressed as (recall that the operator FTF only changes 
the sign of the corresponding Bloch vector rfi — ('0|ct|V'))- 



U~^...U^^FTFUn...Ui = FTF 



(39) 



The output polarization state is thus orthogonal to the 
input one, regardless of any birefringence in the fibers. 
This approach can thus correct for time varying birefrin- 
gence changes, provided that they are slow compared to 
the time required for the light to make a round trip (a 
few hundreds of microseconds). 

By combining this approach with time-multiplexing 
in a long path interferometer, it is possible to imple- 
ment a quantum cryptography system based on phase 
coding where all optical and mechanical fluctuations are 
automatically and passively compensated (MuUer et al. 
1997). We performed a first experiment in early 1997 
(Zbinden et al., 1997), and a key was exchanged over an 
installed optical fiber cable of 23 km (the same one as in 
the case of polarization coding mentioned before). This 
setup features a high interference contrast (fringe visi- 
bility of 99.8%) and an excellent long term stability and 
clearly established the value of the approach for QC. The 
fact that no optical adjustments are necessary earned it 
the nickname of "plug & play" set-up. It is interesting to 
note that the idea of combining time-multiplexing with 
Faraday mirrors was first used to implement an "optical 
microphone" (Breguet and Gisin, 1995)P^ 

However, our first realization still suffered from certain 
optical inefficiencies, and has been improved since then. 
Similar to the setup tested in 1997, the new system is 
based on time multiplexing as well, where the interfering 
pulses travel along the same optical path, however, in 
different time ordering. A schematic is shown in Fig. |l^. 
Briefly, to understand the general idea, pulses emitted 
at Bobs can travel either via the short arm at Bob's, be 
reflected at the Faraday mirror FM at Alice's and finally, 
back at Bobs, travel via the long arm. Or, they travel 
first via the long arm at Bob's, get reflected at Alice's, 
travel via the short arm at Bob's and then superpose 
with the first mentioned possibility on beamsplitter Ci. 
We now explain the realization of this scheme more in 
detail: A short and bright laser pulse is injected in the 
system through a circulator. It splits at a coupler. One 
of the half pulses, labeled Pi, propagates through the 
short arm of Bob's set-up directly to a polarizing beam- 
splitter. The polarization transformation in this arm is 
set so that it is fully transmitted. Pi is then sent onto 
the fiber optic link. The second half pulse, labeled P2, 



■^^Note that since then, we have used this interferometer for 
various other applications; non-linear index of refraction mea- 
surement in fibers (Vinegoni et al., 2000a), optical switch 
(Vinegoni et al, 2000b). 



27 



takes the long arm to the polarizing beamsplitter. The 
polarization evolution is such that it is reflected. A phase 
modulator present in this long arm is left inactive so that 
it imparts no phase shift to the outgoing pulse. P2 is 
also sent onto the link, with a delay of the order of 200 
ns. Both half pulses travel to Alice. Pi goes through a 
coupler. The diverted light is detected with a classical 
detector to provide a timing signal. This detector is also 
important in preven ting s o called Trojan Horse attacks 
discussed in section VI K. The non-diverted light prop- 
agates then through an attenuator and a optical delay 
line - consisting simply of an optical fiber spool - whose 
role will be explained later. Finally it passes a phase 
modulator, before being reflected by Faraday mirror. P2 
follows the same path. Alice activates briefly her modula- 
tor to apply a phase shift on Pi only, in order to encode 
a bit value exactly like in the traditional phase coding 
scheme. The attenuator is set so that when the pulses 
leave Alice, they do not contain more than a fraction of a 
photon. When they reach the PBS after their return trip 
through the link, the polarization state of the pulses is 
exactly orthogonal to what it was when they left, thanks 
to the effect of the Faraday mirror. PI is then reflected 
instead of being transmitted. It takes the long arm to 
the coupler. When it passes. Bob activates his modula- 
tor to apply a phase shift used to implement his basis 
choice. Similarly, P2 is transmitted and takes the short 
arm. Both pulses reach the coupler at the same time and 
they interfere. Single-photon detectors are then use to 
record the output port chosen by the photon. 

We implemented with this set-up the full four states 
BB84 protocol. The system was tested once again on 
the same installed optical fiber cable linking Geneva and 
Nyon (23 km, see Fig. |l^) at 1300 nm and observed 
a very low QBERopt « 1.4% (Ribordy et al. 1998 and 
2000). Proprietary electronics and software were devel- 
oped to allow fully automated and user-friendly operation 
of the system. Because of the intrinsically bi-directional 
nature of this system, great attention must be paid to 
Rayleigh backscattering. The light traveling in an optical 
fiber undergoes scattering by inhomogeneities. A small 
fraction («1%) of this light is recaptured by the fiber 
in the backward direction. When the repetition rate is 
high enough, pulses traveling to Alice and back from her 
must intersect at some point along the line. Their inten- 
sity is however strongly different. The pulses are more 
than a thousand times brighter before than after reflec- 
tion from Alice. Backscattered photons can accompany 
a quantum pulse propagating back to Bob and induce 
false counts. We avoided this problem by making sure 
that pulses traveling from and to Bob are not present in 
the line simultaneously. They are emitted in the form 
of trains by Bob. Alice stores these trains in her optical 
delay line, which consists of an optical fiber spool. Bob 
waits until all the pulses of a train have reached him, be- 
fore sending the next one. Although it completely solves 
the problem of Rayleigh backscattering induced errors, 
this configuration has the disadvantage of reducing the 



effective repetition frequency. A storage line half long as 
the transmission line amounts to a reduction of the bit 
rate by a factor of approximately three. 

Researchers at IBM developed a similar system simul- 
taneously and independently (Bethune and Risk, 2000), 
also working at 1300 nm. However, they avoided the 
problems associated with Rayleigh backscattering, by re- 
ducing the intensity of the pulses emitted by Bob. As 
these cannot be used for synchronization purposes any 
longer, they added a classical channel wavelength mul- 
tiplexed (1550 nm) in the line, to allow Bob and Alice 
to synchronize their systems. They tested their set-up 
on a 10 km long optical fiber spool. Both of these sys- 
tems are equivalent and exhibit similar performances. In 
addition, the group of Anders Karlsson at the Royal In- 
stitute of Technology in Stockholm verified in 1999 that 
this technique also works at a wavelength of 1550 nm 
(Bourennane et al., 1999 and Bourennane et al., 2000). 
These experiments demonstrate the potential of "plug & 
play" -like systems for real world quantum key distribu- 
tion. They certainly constitute a good candidate for the 
realization of prototypes. 

Their main disadvantage with respect to the other sys- 
tems discussed in this section is that they are m ore sensi- 
tive to Trojan horse strategies (see section VI K). Indeed, 
Eve could send a probe beam and recover it through the 
strong reficction by the mirror at the end of Alice's sys- 
tem. To prevent such an attack, Alice adds an attenu- 
ator to reduce the amount of light propagating through 
her system. In addition, she must monitor the incoming 
intensity using a classical linear detector. Besides, sys- 
tems based on this approach cannot be operated with a 
true single-photon source, and will thus not benefit from 
the progress in this field Pi. 



D. Frequency coding 

Phase based systems for QC require phase synchroniza- 
tion and stabilization. Because of the high frequency of 
optical waves (approximately 200 THz at 1550 nm), this 
condition is difficult to fulfill. One solution is to use self- 
aligned systems like the "plug&play" set-ups discussed 
in the previous section. Prof. Goedgebuer and his team 
from the University of Besangon, in France, introduced 
an alternative solution (Sun et al. 1995, Mazurenko et al. 
1997, MeroUa et al. 1999; see also Molotkov 1998). Note 
that the title of this section is not completely correct in 
the sense that the value of the qubits is not coded in the 
frequency of the light, but in the relative phase between 
sidebands of a central optical frequency. 



•^^The fact that the pulses travel along a round trip implies 
that losses are doubled, yielding a reduced counting rate. 



28 



Their system is depicted in Fig. A source emits 
short pulses of classical monochromatic light with angu- 
lar frequency ujs- A first phase modulator PMa modu- 
lates the phase of this beam with a frequency f2 <s; los 
and a small modulation depth. Two sidebands are thus 
generated at frequencies ujs ± The phase modulator is 
driven by a radio-frequency oscillator RFOa whose phase 
can be varied. Finally, the beam is attenuated so that 
the sidebands contain much less than one photon per 
pulse, while the central peak remains classical. After the 
transmission link, the beam experiences a second phase 
modulation applied by PMb- This phase modulator is 
driven by a second radio- frequency oscillator RFO b with 
the same frequency and a phase <I> b ■ These oscillators 
must be synchronized. After passing through this device, 
the beam contains the original central frequency the 
sidebands created by Alice, and the sidebands created by 
Bob. The sidebands at frequencies ojs ± ^ are mutually 
coherent and thus yield interference. Bob can then record 
the interference pattern in these sidebands, after removal 
of the central frequency and the higher order sidebands 
with a spectral filter. 



To implement the B92 protocol (see paragraph II D 1 ) , 
Alice randomly chooses the value of the phase ^a, for 
each pulse. She associates a bit value of "0" to the phase 
and the bit "1" to phase tt. Bob also chooses randomly 
whether to apply a phase ^b of or tt. One can see that 
if = 0, the interference is constructive and 

Bob's single-photon detector has a non-zero probability 
of recording a count. This probability depends on the 
number of photons present initially in the sideband, as 
well as the losses induced by the channel. On the other 
hand, if \^a — — tt, interference is destructive and 
no count will ever be recorded. Consequently, Bob can 
infer, everytime he records a count, that he applied the 
same phase as Alice. When a given pulse does not yield 
a detection, the reason can be that the phases applied 
were different and destructive interference took place. It 
can also mean that the phases were actually equal, but 
the pulse was empty or the photon got lost. Bob cannot 
decide between these two possibilities. From a concep- 
tual point of view, Alice sends one of two non-orthogonal 
states. There is then no way for Bob to distinguish be- 
tween them deterministically. However he can perform a 
generalized measurement, also known as a positive opera- 
tor value measurement^ which will sometimes fail to give 
an answer, and at all other times gives the correct one. 

Eve could perform the same measurement as Bob. 
When she obtains an inconclusive result, she could just 
block both the sideband and the central frequency so 
that she does not have to guess a value and does not risk 
introducing an error. To prevent her from doing that. 
Bob verifies the presence of this central frequency. Now 
if Eve tries to conceal her presence by blocking only the 
sideband, the reference central frequency will still have 
a certain probability of introducing an error. It is thus 
possible to catch Eve in both cases. The monitoring of 
the reference beam is essential in all two-states protocol 



to reveal eavesdropping. In addition, it was shown that 
this reference beam monitoring can be extended to the 
four-states protocol (Huttner et at, 1995). 

The advantage of this set-up is that the interference 
is controlled by the phase of the radio-frequency oscilla- 
tors. Their frequency is 6 orders of magnitude smaller 
than the optical frequency, and thus considerably easier 
to stabilize and synchronize. It is indeed a relatively sim- 
ple task that can be achieved by electronic means. The 
Besangon group performed key distribution with such a 
system. The source they used was a DBR laser diode 
at a wavelength of 1540 nm and a bandwidth of 1 MHz. 
It was externally modulated to obtain 50 ns pulses, thus 
increasing the bandwidth to about 20 MHz. They used 
two identical LiNbOa phase modulators operating at a 
frequency il/2TT = 300MHz. Their spectral filter was 
a Fabry-Perot cavity with a finesse of 55. Its resolution 
was 36 MHz. They performed key distribution over a 
20 km long single-mode optical fiber spool, recording a 
QBERopt contribution of approximately 4%. They es- 
timated that 2% can be attributed to the transmission 
of the central frequency by the Fabry-Perot cavity. Note 
also that the detector noise is relatively large due to the 
large pulse durations. Both these errors could be lowered 
by increasing the separation between the central peak 
and the sidebands, allowing reduced pulse widths, hence 
shorter detection times and lower darkcounts. Neverthe- 
less, a compromise must be found since, in addition to 
technical drawbacks of high speed modulation, the po- 
larization transformation in an optical fiber depends on 
the wavelength. The remaining 2% of the QBERopt is 
due to polarization effects in the set-up. 

This system is another possible candidate. It's main 
advantage is the fact that it could be used with a true 
single-photon source, if it existed. On the other hand, 
the contribution of imperfect interference visibility to the 
error rate is significantly higher than that measured with 
"plug&play" systems. In addition, if this system is to be 
truly independent of polarization, it is essential to ensure 
that the phase modulators have very low polarization 
dependency. In addition, the stability of the frequency 
filter may constitute a practical difficulty. 



E. Free space line-of-sight applications 

Since optical fiber channels may not always be avail- 
able, several groups are trying to develop free space line- 
of-sight QC systems, capable for example to distribute a 
key between buildings rooftops in an urban setting. 

It may of course sound difficult to detect single pho- 
tons amidst background light, but the first experiments 
demonstrated the possibility of free space QC. Besides, 
sending photons through the atmosphere also has advan- 
tages, since thi s medi um is essentially not birefringent 
(see paragraph IIIB4 ). It is then possible to use plain 
polarization coding. In addition, one can ensure a very 



29 



high channel transmission over large distances by choos- 
ing careful ly the wavelength of the photons (see again 
paragraph [II B 4). The atmosphere has for example a 
high transmission "window" in the vicinity of 770 nm 
(transmission as high as 80% between a ground station 
and a satellite), which happens to be compatible with 
commercial silicon APD photon counting modules (de- 
tection efficiency as high as 65% and low noise). 

The systems developed for free space applications are 
actually very similar to the one shown in Fig. [ij. The 
main difference is that the emitter and receiver are con- 
nected to telescopes pointing at each other, instead of 
an optical fiber. The contribution of background light 
to errors can be maintained at a reasonable level by us- 
ing a combination of timing discrimination (coincidence 
windows of typically a few ns), spectral filtering (< 1 nm 
interference filters) and spatial filtering (coupling into an 
optical fiber). This can be illustrated with the follow- 
ing simple calculation. Let us suppose that the isotropic 
spectral background radiance is 10^^ W/m^ nm sr at 
800 nm. This corresponds to the spectral radiance of a 
clear zenith sky with a sun elevation of 77° (Zissis and 
Larocca, 1978). The divergence of a Gaussian beam 
with radius wq is given by 6* = \/wqit. The product of 
beam (telescope) cross-section and solid angle, which is a 
constant, is therefore ttivqItB'^ = X^. By multiplying the 
radiance by A^, one obtains the spectral power density. 
With an interference filter of 1 nm width, the power on 
the detector is 6 • 10~^^ W, corresponding to 2 • 10^ pho- 
tons per second or 2 • 10^^ photons per ns time window. 
This quantity is approximately two orders of magnitude 
larger than the dark count probability of Si APD's, but 
still compatible with the requirements of QC. Besides the 
performance of free space QC systems depends dramati- 
cally on atmospheric conditions and air quality. This is 
problematic for urban applications where pollution and 
aerosols degrade the transparency of air. 

The first free space QC experiment over a distance of 
more than a few centimeters was performed by Jacobs 
and Franson in 1996. They exchanged a key over a dis- 
tance of 150 m in a hallway illuminated with standard 
fluorescent lighting and 75 m outdoor in bright daylight 
without excessive QBER. Hughes and his team were the 
first to exchange a key over more than one kilometer un- 
der outdoor nighttime conditions (Buttler et al. 1998, 
and Hughes et al. 2000a). More recently, they even im- 
proved their system to reach a distance of 1.6 km under 
daylight conditions (Buttler et al. 2000). Finally Rarity 
and his coworkers performed a similar experiment where 
they exchanged a key over a distance of 1.9 km under 
nighttime conditions (Gorman et al. 2000). 



Before quantum repeaters become available and allow 
to overcome the distance limitation of fiber based QC, 
free space systems seem to offer the only possibility for 
QC over distances of more than a few dozens kilome- 
ters. A QC link could be established between ground 
based stations and a low orbit (300 to 1200 km) satel- 
lite. The idea is first to exchange a key fc^ between Alice 
and a satellite, using QC, next to establish another key 
kB between Bob and the same satellite. Then the satel- 
lite publicly announces the value K = kA® ks obtained 
after an XOR of the two keys (© represents here the 
XOR operator or equivalcntly the binary addition mod- 
ulo 2 without carry). Bob subtracts then his key from 
this value to recover Ahce's key {kA = KQ kg) Q. The 
fact that the key is known to the satellite operator may 
be at first sight seen as a disadvantage. But this point 
might on the contrary be a very positive one for the de- 
velopment of QC, since governments always like to keep 
control of communications! Although this has not yet 
been demonstrated, Hughes as well as Rarity have es- 
timated - in view of their free space experiments - that 
the difflculty can be mastered. The main difficulty would 
come from beam pointing - don't forget that the satel- 
lites will move with respect to the ground - and wander- 
ing induced by turbulences. In order to reduce this latter 
problem the photons would in practice probably be sent 
down from the satellite. Atmospheric turbulences are in- 
deed almost entirely concentrated on the first kilometer 
above the earth surface. Another possibility to compen- 
sate for beam wander is to use adaptative optics. Free 
space QC experiments over distances of the order of 2 
km constitute major steps towards key exchange with a 
satellite. According to Buttler et al. (2000), the optical 
depth is indeed similar to the effective atmospheric thick- 
ness that would be encountered in a surface-to-satellite 
application. 



F. Multi-users implementations 

Paul Townsend and colleagues investigated the ap- 
plication of QC over multi-user optical fiber networks 
(Phoenix et al 1995, Townsend et al. 1994, Townsend 
1997b). They used a passive optical fiber network ar- 
chitecture where one Alice - the network manager - is 
connected to multiple network users (i.e. many Bobs, see 
Fig. |2^). The goal is for Alice to establish a verifiably 
secure and unique key with each Bob. In the classical 
limit, the information transmitted by Alice is gathered by 
all Bobs. However, because of their quantum behavior, 



Remember that Bennett and his coworkers performed the 
first demonstration of QC over 30 cm in air (Bennett et al. 
1992a). 



*^This scheme could also be used with optical fiber imple- 
mentation provided that secure nodes exist. In the case of a 
satellite, one tacitly assumes that it constitutes such a secure 
node. 



30 



the photons are effectively routed at the beamsplitter to 
one, and only one, of the users. Using the double Mach- 
Zehnder configuration discussed above, they tested such 
an arrangement with three Bobs. Nevertheless, because 
of the fact that QC requires a direct and low attenuation 
optical channel between Alice and Bob, the possibility to 
implement it over large and complex networks appears 
limited. 



V. EXPERIMENTAL QUANTUM 
CRYPTOGRAPHY WITH PHOTON PAIRS 

The possibility to use entangled photon pairs for quan- 
tum cryptography was first proposed by Ekert in 1991. 
In a subsequent paper, he investigated, with other re- 
searchers, the feasibility of a practical system (Ekert et 
ai, 1992). Although all tests of Bell inequalities (for a 
review, see for example, Zeilinger 1999) can be seen as 
experiments of quantum cryptography, systems specifi- 
cally designed to meet the special requirements of QC, 
like quick change of bases, were first implemented only 
recently In 1999, three groups demonstrated quan- 
tum cryptography based on the properties of entangled 
photons. They were reported in the same issue of Phys. 
Rev. Lett. (Jennewein et al. 2000b, Naik et al. 2000, 
Tittel et al. 2000), illustrating the fast progress in the 
still new field of quantum communication. 

When using photon pairs for QC, one advantage lies 
in the fact that one can remove empty pulses, since the 
detection of one photon of a pair reveals the presence of 
a companion. In principle, it is thus possible to have 
a probability of emitting a non-empty pulse equal to 
one^. It is beneficial only because presently available 
single-photon detector feature high dark count probabil- 
ity. The difficulty to always collect both photons of a pair 
somewhat reduces this advantage. One frequently hears 
that photon-pairs have also the advantage of avoiding 
multi-photon pulses, but this is not correct. For a given 
mean photon number, the probability that a non-empty 
pulse contains more than one photon is essentially the 
same f or weak pulses and for photon pairs (see paragraph 
III A 2| ) . Second, using entangled photons pairs prevents 
unintended information leakage in unused degrees of free- 
dom (Mayers and Yao 1998). Observing a QBER smaller 
than approximately 15%, or equivalently that Bell's in- 
equality is violated, indeed guarantees that the photons 
are entangled and so that the different states are not 
fully distinguishable through other degrees of freedom. 
A third advantage was indicated recently by new and 
elaborate eavesdropping analyses. The fact that passive 
state preparation can be impleme nted prevents multipho- 
ton splitting attacks (see section VIJ). 



This definition of quantum cryptography applies to the fa- 
mous experiment by Aspect and his co-workers testing Bell 
inequalities with time varying analyzers (Aspect et al, 1982). 
QC had however not yet been invented. It also applies to the 
more recent experiments closing the locality loopholes, like 
the one performed in Innsbruck using fast polarization mod- 
ulators (Weihs et al. 1998) or the one performed in Geneva 
using two analyzers on each side (Tittel et al. 1999; Gisin and 
Zbinden 1999). 

'*"^Photon pair sources are often, though not always, pumped 
continuously. In these cases, the time window determined by 
a trigger detector and electronics defines an effective pulse. 



31 



The coupling between the optical frequency and the 
property used to encode the qubit, i.e. decoherence, is 
rather easy to master when using faint laser pulses. How- 
ever, this issue is more serious when using photon pairs, 
because of the larger spectral width. For example, for a 
spectral width of 5 nm FWHM - a typical value, equiva- 
lent to a coherence time of 1 ps - and a fiber with a typical 
PMD of 0.2 ps/^/km, transmission over a few kilometers 
induc es signi ficant depolarization, as discussed in para- 
graph IIIB2. In case of polarization-entangled photons, 
this gradually destroys their correlation. Although it is in 
principle possible to compensate this effect, the statistical 
nature of the PMD makes this impracticai P|. A lthough 
perfectly fine for free-space QC (see section EVE), polar- 
ization entanglement is thus not adequate for QC over 
long optical fibers. A similar effect arises when dealing 
with energy-time entangled photons. Here, the chromatic 
dispersion destroys the strong time-correlations between 
the photons forming a pair. However, as discussed in 
paragraph III B 3 , it is possible to passively compensate 



for this effect using either additional fibers with opposite 
dispersion, or exploiting the inherent energy correlation 
of photon pairs. 

Generally speaking, entanglement based systems are 
far more complex than faint laser pulses set-ups. They 
will most certainly not be used in the short term for the 
realization of industrial prototypes. In addition the cur- 
rent experimental key creation rates obtained with these 
systems are at least two orders of magnitude smaller than 
those obtained with faint laser pulses set-ups (net rate in 
the order of a few tens of bits per second rather than a few 
thousands bits per second for a 10 km distance). Nev- 
ertheless, they offer interesting possibilities in the con- 
text of cryptographic optical networks The photon pairs 
source can indeed be operated by a key provider and sit- 
uated somewhere in between potential QC customers. In 
this case, the operator of the source has no way to get any 
information about the key obtained by Alice and Bob. 

It is interesting to emphasize the close analogy between 
1 and 2-photon schemes, which was first noted by Ben- 
nett, Brassard and Mermin (1992). Indeed, in a 2-photon 
scheme, one can always consider that when Alice detects 
her photon, she effectively prepares Bob's photon in a 
given state. In the 1-photon analog, Alice's detectors 
are replaced by sources, while the photon pair source be- 
tween Alice and Bob is bypassed. The difference between 
these schemes lies only in practical issues, like the spec- 
tral widths of the light. Alternatively, one can look at 
this analogy from a different point of view: in 2-photon 



*'*In the case of weak pulses we saw that a full round trip to- 
gether with the use of Fara day mirrors circumvents the prob- 



lem (see paragraph [VC2). However, since the channel loss 
on the way from the source to the Faraday mirror inevitably 
increases the empty pulses fraction, the main advantage of 
photon pairs vanishes in such a configuration. 



schemes, everything is as if Alice's photon propagated 
backwards in time from Alice to the source and then for- 
wards from the source to Bob. 



A. Polarization entanglement 

A first class of experiments takes advantage of 
polarization-entangled photon pairs. The setup, depicted 
in Fig. |2l|, is similar to the scheme used for polarization 
coding based on faint pulses. A two-photon source emits 
pairs of entangled photons flying back to back towards 
Alice and Bob. Each photon is analyzed with a polar- 
izing beamsplitter whose orientation with respect to a 
common reference system can be changed rapidly. Two 
experiments, have been reported in the spring of 2000 
(Jennewein et al. 2000b, Naik et al. 2000). Both used 
photon pairs at a wavelength of 700 nm, which were de- 
tected with commercial single photon detectors based on 
Silicon APD's. To create the photon pairs, both groups 
took advantage of parametric downconversion in one or 
two BBO crystals pumped by an argon-ion laser. The an- 
alyzers consisted of fast modulators, used to rotate the 
polarization state of the photons, in front of polarizing 
beamsplitters. 

The group of Anton Zeilinger, then at the University of 
Innsbruck, demonstrated such a crypto-system, including 
error correction, over a distance of 360 meters (Jennewein 
et al. 2000b). Inspired by a test of Bell inequalities 
performed with the same set-up a year earlier (Weihs et 
ai, 1998), the two-photon source was located near the 
center between the two analyzers. Special optical fibers, 
designed for guiding only a single mode at 700 nm, were 
used to transmit the photons to the two analyzers. The 
results of the remote measurements were recorded locally 
and the processes of key sifting and of error correction 
implemented at a later stage, long after the distribution 
of the qubits. Two different protocols were implemented: 
one based on Wigner's inequality (a special form of Bell 
inequalities), and the other one following BB84. 

The group of Paul Kwiat then at Los Alamos National 
Laboratory, demonstrated the Ekcrt protocol (Naik et al. 
2000). This experiment was a table-top realization with 
the source and the analyzers only separated by a few 
meters. The quantum channel consisted of a short free 
space distance. In addition to performing QC, the re- 
searchers simulated different eavesdropping strategies as 
well. As predicted by the theory, they observed a rise of 
the QBER with an increase of the information obtained 
by the eavesdropper. Moreover, they also recently im- 
plemented the six-state protocol described in paragraph 
HP 2 , and observed the predicted QBER increase to 33% 
(Enzer et al. 2001). 

The main advantage of polarization entanglement is 
the fact that analyzers are simple and efficient. It is 
therefore relatively easy to obtain high contrast. Naik 
and co-workers, for example, measured a polarization 



32 



extinction of 97%, mainly limited by electronic imper- 
fections of the fast modulators. This amounts to a 
QBERopt contribution of only 1.5%. In addition, the 
constraint on the coherence length of the pump laser is 
not very stringent (note that if it is shorter than the 
length of the crystal some difficulties can appear, but we 
will not mention them here). 

In spite of their qualities, it would be difficult to repro- 
duce these experiments on distances of more than a few 
kilometers of optical fiber. As mentioned in the intro- 
duction to this chapter, polarization is indeed not robust 
enough to decoherence in optical fibers. In addition, the 
polarization state transformation induced by an installed 
fiber frequently fluctuates, making an active alignment 
system absolutely necessary. Nevertheless, these exper- 
iments are very interesting in the context of free space 
QC. 



B. Energy-time entanglement 

1. Phase-coding 

The other class of experiments takes advantage of 
energy-time entangled photon pairs. The idea originates 
from an arrangement proposed by Franson in 1989 to 
test Bell inequalities. As we will see below, it is com- 
parable to the d ouble M ach-Zehndcr configuration dis- 
cussed in section IV C 1 . A source emits pairs of energy- 



correlated photons with both particles created at exactly 
the same, however uncertain time (see Fig. |2^). This 
can be achieved by pumping a non-linear crystal with 
a pump of large coherence time. The pairs of down- 
converted photons are then split, and one photon is sent 
to each party down quantum channels. Both Alice and 
Bob possess a widely, but identically unbalanced Mach- 
Zehnder interferometer, with photon counting detectors 
connected to the outputs. Locally, if Alice or Bob change 
the phase of their interferometer, no effect on the count 
rates is observed, since the imbalancement prevents any 
single-photon interference. Looking at the detection-time 
at Bob's with respect to the arrival time at Alice's, three 
different values are possible for each combination of de- 
tectors. The different possibilities in a time spectrum 
are shown in Fig. |2^. First, both photons can propagate 
through the short arms of the interferometers. Next, one 
can take the long arm at Alice's, while the other one 
takes the short one at Bob's. The opposite is also pos- 
sible. Finally, both photons can propagate through the 
long arms. When the path differences of the interferome- 
ters are matched within a fraction of the coherence length 
of the down-converted photons, the short-short and the 
long-long processes are indistinguishable, provided that 
the coherence length of the pump photon is larger than 
the path-length difference. Conditioning detection only 
on the central time peak, one observes two-photon inter- 
ferences which depends on the sum of the relative phases 



in Alice's and Bob's interferometer - non-local quantum 
correlation (Franson 1989)^ - see Fig. ^ The phase 
in the interferometers at Alice's and Bob's can, for ex- 
ample, be adjusted so that both photons always emerge 
from the same output port. It is then possible to ex- 
change bits by associating values to the two ports. This 
is, however, not sufficient. A second measurement basis 
must be implemented, to ensure security against eaves- 
dropping attempts. This can be done for example by 
adding a second interferometer to the systems (see Fig. 
p^ ). In the latter case, when reaching an analyzer, a 
photon chooses randomly to go to one or the other in- 
terferometer. The second set of interferometers can be 
adjusted to also yield perfect correlations between out- 
put ports. The relative phase between their arms should 
however be chosen so that when the photons go to inter- 
ferometers not associated, the outcomes are completely 
uncorrelated. 

Such a system features a passive state preparation by 
Alice, yielding sec urity against multiphoton splitting at- 
tacks (see section VIJ). In addition, it also features a 
passive basis choice by Bob, which constitutes an elegant 
solution: neither a random number generator, nor an 
active modulator are necessary. It is nevertheless clear 
that QBERdet and QBERacc (defined in eq. (|3|)) are 
doubled since the number of activated detectors is twice 
as high. This disadvantage is however not as important 
as it first appears since the alternative, a fast modula- 
tor, introduces losses close to 3dB, also resulting in an 
increase of these error contributions. The striking simi- 
larity between this scheme and the double Mach-Zehnder 
arrangement discussed in the context of faint laser pulses 

I and 



[V C 1 is obvious when comparing Fig. 



in section 
Fig. P 

This scheme has been realized in the first half of 2000 
by our group at Geneva University (Ribordy et ai, 2001). 
It constitutes the first experiment in which an asymmet- 
ric setup, optimized for QC was used instead of a system 
designed for tests of Bell inequality and having a source 
located in the center between Alice and Bob (see Fig. 
^ ). The two-photon source (a KNbOs crystal pumped 
by a doubled Nd-YAG laser) provides energy-time entan- 
gled photons at non-degenerate wavelengths - one around 
810 nm, the other one centered at 1550 nm. This choice 
allows to use high efficiency silicon based single photon 
counters featuring low noise to detect the photons of the 
lower wavelength. To avoid the high transmission losses 
at this wavelength in optical fibers, the distance between 
the source and the corresponding analyzer is very short. 



*^The imbalancement of the interferometers must be large 
enough so that the middle peak can easily be distinguished 
from the satellite ones. This minimal imbalancement is de- 
termined by the convolution of the detector's jitter (tens of 
ps) , the electronic jitter (from tens to hundreds of ps) and the 
single-photon coherence time (<lps). 



33 



of the order of a few meters. The other photon, at the 
wavelength where fiber losses are minimal, is sent via 
an optical fiber to Bob's interferometer and is then de- 
tected by InGaAs APD's. The decoherence induced by 
chromatic dispersion is limited by the use of dispersion- 
shifted optical fiber (see section IIIB 3 ). 

Implementing the BB84 protocols in the way discussed 
above, with a total of four interferometers, is difficult. 
They must indeed be aligned and their relative phase 
kept accurately stable during the whole key distribution 
session. To simplify this problem, we devised birefringcnt 
interferometers with polarization multiplexing of the two 
bases. Consequently, the constraint on the stability of the 
interferometers is equivalent to that encountered in the 
faint pulses double Mach-Zehnder system. We obtained 
interference visibilities of typically 92%, yielding in turn 
a QBERopt contribution of about 4%. We demonstrated 
QC over a transmission distance of 8.5 km in a laboratory 
setting using a fiber on a spool and generated several 
Mbits of key in hour long sessions. This is the largest 
span realized to date for QC with photon pairs. 

As already mentioned, it is essential for this scheme to 
have a pump laser whose coherence length is larger than 
the path imbalancement of the interferometers. In addi- 
tion, its wavelength must remain stable during a key ex- 
change session. These requirements imply that the pump 
laser must be somewhat more elaborate than in the case 
of polarization entanglement. 



2. Phase-time coding 



We have mentioned in section [V C that states gener- 
ated by two-paths interferometers are two-levels quantum 
systems. They can also be represented on a Poincare 
sphere. The four-states used for phase coding in the 
previous section would lie on the equator of the sphere, 
equally distributed. The coupling ratio of the beamsplit- 
ter is indeed 50%, and they differ only by a phase dif- 
ference introduced between the components propagating 
through either arm. In principle, the four-state proto- 
col can be equally well implemented with only two states 
on the equator and the two other ones on the poles. In 
this section, we present a system exploiting such a set 
of states. Proposed by our group in 1999 (Brendel et 
at, 1999), the scheme follows in principle the Franson 
configuration described in the context of phase coding. 
However, it is based on a pulsed source emitting entan- 
gled photons in so-called energy-time Bell states (Tittel 
et al. 2000). The emission time of the photon pair is 
therefore given by a superposition of only two discrete 
terms, instead of a wide and continuous range bounded 
only by the large coherence length of the pump laser (see 
paragraph VBl). 

Consider Fig. If Alice registers the arrival times 
of the photons with respect to the emission time of the 
pump pulse , she finds the photons in one of three time 



slots (note that she has two detectors to take into ac- 
count). For instance, detection of a photon in the first 
slot corresponds to "pump photon having traveled via the 
short arm and downconverted photon via the short arm" . 
To keep it short, we refer to this process as \s)p,\s)ai 
where P stands for the pump- and A for Alice's pho- 
ton]^. However, the characterization of the complete 
photon pair is still ambiguous, since, at this point, the 
path of the photon having traveled to Bob (short or long 
in his interferometer) is unknown to Alice. Figure Eq 
illustrates all processes leading to a detection in the dif- 
ferent time slots both at Alice's and at Bob's detector. 
Obviously, this reasoning holds for any combination of 
two detectors. In order to build up the secret key, Al- 
ice and Bob now publicly agree about the events where 
both detected a photon in one of the satellite peaks - 
without revealing in which one - or both in the central 
peak - without revealing the detector. This procedure 
corresponds to key-sifting. For instance, in the example 
discussed above, if Bob tells Alice that he also detected 
his photon in a satellite peak, she knows that it must 
have been the left peak as well. This is due to the fact 
that the pump photon has traveled via the short arm - 
hence Bob can detect his photon either in the left satellite 
or in the central peak. The same holds for Bob who now 
knows that Alice's photon traveled via the short arm in 
her interferometer. Therefore, in case of joint detection 
in a satellite peak, Alice and Bob must have correlated 
detection times. Assigning a bit value to each side peak, 
Alice and Bob can exchange a sequence of correlated bits. 

The cases where both find the photon in the central 
time slot are used to implement the second basis. They 
correspond to the \ s) p,\l) a\1) b and \1)p,\s)a\s)b 
possibilities. If these are indistinguishable, one obtains 
two-photon interferences, exactly as in the case discussed 
in the previous paragraph on phase coding. Adjusting 
the phases, and maintaining them stable, perfect corre- 
lations between output ports chosen by the photons at 
Alice's and Bob's interferometers are used to establish 
the key bits in this second basis. 

Phase-time coding has recently been implemented in a 
laboratory experiment by our group (Tittel et al., 2000) 
and was reported at the same time as the two polariza- 
tion entanglement-based schemes mentioned above. A 
contrast of approximately 93% was obtained, yielding a 
QBERopt contribution of 3.5%, similar to that obtained 
with the phase coding scheme. This experiment will be 
repeated over long distances, since losses in optical fibers 
are low at the downconverted photons' wavelength (1300 
nm). 

An advantage of this set-up is that coding in the time 
basis is particularly stable. In addition, the coherence 
length of the pump laser is not critical anymore. It is 



^Note that it does not constitute a product state. 



34 



however necessary to use relatively short pulses (« 500 
ps) powerful enough to induce a significant downconver- 
sion probability. 

Phase-time coding, as discussed in this section, can 
also be realized with faint laser pulses (Bechmann- 
Pasquinucci and Tittel, 2000). The 1-photon configu- 
ration has though never been realized, ft would be sim- 
ilar to the double Mach-Zehnder discussed in paragraph 
IV C 1 , but with the first coupler replaced by an active 
switch. For the time-basis, Alice would set the switch 
either to full transmission or to full reflection, while for 
the energy-basis she would set it at 50%. This illustrates 
how considerations initiated on photon pairs can yield 
advances on faint pulses systems. 



3. Quantum secret sharing 

In addition to QC using phase-time coding, we used the 
setup depicted in Fig. for the first proof-of-principle 
demonstration of quantum secret sharing - the general- 
ization of quantum key distribution to more than two 
parties (Tittel et ai, 2001). In this new application of 
quantum communication, Alice distributes a secret key to 
two other users, Bob and Charlie, in a way that neither 
Bob nor Charlie alone have any information about the 
key, but that together they have full information. Like 
with traditional QC, an eavesdropper trying to get some 
information about the key creates errors in the transmis- 
sion data and thus reveals her presence. The motivation 
behind quantum secret sharing is to guarantee that Bob 
and Charlie cooperate - one of them might be dishonest 
- in order to obtain a given piece of information. In con- 
trast with previous proposals using three-particle GHZ 
states (Zukowski et aL,1998, and Hillery et ai, 1999), 
pairs of entangled photons in so-called energy-time Bell 
states were used to mimic the necessary quantum cor- 
relation of three entangled qubits, albeit only two pho- 
tons exist at the same time. This is possible because 
of the symmetry between the preparation device acting 
on the pump pulse and the devices analyzing the down- 
converted photons. Therefore, the emission of a pump 
pulse can be considered as the detection of a photon with 
100% efficiency, and the scheme features a much higher 
coincidence rate than that expected with the initially pro- 
posed "triple-photon" schemes. 



VI. EAVESDROPPING 
A. Problems and Objectives 

After the qubit exchange and bases reconciliation, Al- 
ice and Bob each have a sifted key. Ideally, these are 
identical. But in real life, there are always some errors 
and Alice and Bob must apply some classical information 
processing protocols, like error correction and p rivacy 
amplification, to their data (see paragraph II C 4). The 
first protocol is necessary to obtain identical keys, the 
second to obtain a secret key. Essentially, the problem 
of eavesdropping is to find protocols which, given that 
Alice and Bob can only measure the QBER, either pro- 
vides Alice and Bob with a provenly secure key, or stops 
the protocol and informs the users that the key distribu- 
tion has failed. This is a delicate question, really at the 
intersection between quantum physics and information 
theory. Actually, there is not one, but several eavesdrop- 
ping problems, depending on the precise protocol, on the 
degree of idealization one admits, on the technological 
power one assumes Eve has and on the assumed fidelity 
of Alice and Bob's equipment. Let us immediately stress 
that the complete analysis of eavesdropping on quantum 
channel is by far not yet finished. In this chapter we 
review some of the problems and solutions, without any 
claim of mathematical rigor nor complete cover of the 
huge and fast evolving literature. 

The general objective of eavesdropping analysis is to 
find ultimate and practical proofs of security for some 
quantum cryptosystems. Ultimate means that the se- 
curity is guaranteed against entire classes of eavesdrop- 
ping attacks, even if Eve uses not only the best of to- 
day's technology, but any conceivable technology of to- 
morrow. They take the form of theorems, with clearly 
stated assumptions expressed in mathematical terms. In 
contrast, practical proofs deal with some actual pieces of 
hardware and software. There is thus a tension between 
"ultimate" and "practical" proofs. Indeed the first ones 
favor general abstract assumptions, whereas the second 
ones concentrate on physical implementations of the gen- 
eral concepts. Nevertheless, it is worth aiming at finding 
such proofs. In addition to the security issue, they pro- 
vide illuminating lessons for our general understanding 
of quantum information. 

In the ideal game Eve has perfect technology: she is 
only limited by the laws of quantum mechanics, but not 
at all by today's technology ^ In particular. Eve can- 



The question whether QC would survive the discovery of 
the currently unknown validity limits of quantum mechanics 
is interesting. Let us argue that it is likely that quantum me- 
chanics will always adequately describe photons at telecom 
and vsible wavelengths, like classical mechanics always ade- 
quately describes the fall of apples, whatever the future of 



35 



not clone the qubits, as this i s incom patible with quan- 
tum dynamics (see paragraph II C 2| ), but Eve is free to 
use any unitary interaction between one or several qubits 
and an auxiliary system of her choice. Moreover, after 
the interaction, Eve may keep her auxiliary system un- 
perturbed, in particular in complete isolation from the 
environment, for an arbitrarily long time. Finally, af- 
ter listening to all the public discussion between Alice 
and Bob, she can perform the measurement of her choice 
on her system, being again limited only by the laws of 
quantum mechanics. Moreover, one assumes that all er- 
rors are due to Eve. It is tempting to assume that some 
errors are due to Alice's and Bob's instruments and this 
probably makes sense in practice. But there is the danger 
that Eve replaces them with higher quality instruments 
(see next section)! 

In the next section we elaborate on the most relevant 
differences between the above ideal game (ideal espe- 
cially from Eve's point of view!) and real systems. Next, 
we return to the idealized situation and present several 
eavesdropping strategies, starting from the simplest ones, 
where explicit formulas can be written down and ending 
with a general abstract security proof. Finally, we dis- 
cus practical eavesdropping attacks and comment on the 
complexity of real system's security. 



B. Idealized versus real implementation 

Alice and Bob use technology available today. This 
trivial remark has several implications. First, all real 
components are imperfect, so that the qubits are pre- 
pared and detected not exactly in the basis described by 
the theory. Moreover, a real source always has a finite 
probability to produce more than one photon. Depending 
on the details of the encoding device, all photons carry 
the same qubit (see section VIJ). Hence, in principle. 
Eve could measure the photon number, wit hout p erturb- 
ing the qubit. This is discussed in section VIH. Recall 



that ideally, Alice should emit single qubit-photons, i.e. 
each logical qubit should be encoded in a single degree 
of freedom of a single photon. 

On Bob's side the situation is, first, that the efficiency 
of his detectors is quite limited and, next, that the dark 
counts (spontaneous counts not produced by photons) 
are non negligible. The limited efficiency is analogous to 
the losses in the quantum channel. The analysis of the 
dark counts is more delicate and no complete solution 
is known. Conservatively, Liitkenhaus (2000) assumes 
in his analysis that all dark counts provide information 
to Eve. He also advises that whenever two detectors 
fire simultaneously (generally due to a real photon and 
a dark count). Bob should not disregard such events but 



choose a value at random. Note also that the different 
contributions of dark count to the total QBER depend 
on whether Bob's choice of basis is im pleme nted using an 
active or a passive switch (see section IV A ). 

Next, one usually assumes that Alice and Bob have 
thoroughly checked their equipments and that it is func- 
tioning according to the specifications. This is not par- 
ticular to quantum cryptography, but is quite a delicate 
question, as Eve could be the actual manufacturer of the 
equipment! Classical crypto-systems must also be care- 
fully tested, like any commercial apparatuses. Testing a 
crypto-system is however delicate, because in cryptogra- 
phy the client buys confidence and security, two qualities 
difficult to quantify. D. Mayers and A. Yao (1998) pro- 
posed to use Bell inequality to test that the equipments 
really obey quantum mechanics, but even this is not en- 
tirely satisfactory. Indeed and interestingly, one of the 
most subtle loopholes in all present day tests of Bell in- 
equality, the detection loophole, can be exploited to pro- 
duce a purely classical software mimicking all quantum 
correlation (Gisin and Gisin 1999). This illustrates once 
again how close practical issues in QC are to philosophi- 
cal debates about the foundations of quantum physics! 

Finally, one has to assume that Alice and Bob are per- 
fectly isolated from Eve. Without such an assumption 
the entire game would be meaningless: clearly. Eve is 
not allowed to look over Alice's shoulder! But this el- 
ementary assumption is again a nontrivial one. What 
if Eve uses the quantum channel connecting Alice to the 
outside world? Ideally, the channel should incorporate an 
isolator ^ to keep Eve from shining light into Alice's out- 
put port to examine the interior of her laboratory. But 
all isolators operate only on a finite bandwidth, hence 
there should also be a filter. But filters h ave o nly a finite 
efficiency. And so on. Except for section VI K where this 



assumption is discussed, we henceforth assume that Alice 
and Bob are isolated from Eve. 



C. Individual, joint and collective attacks 

In order to simplify the problem, several eavesdrop- 
ping strategies of restricted generalities have been defined 
(Liitkenhaus 1996, Biham and Mor 1997a and 1997b) and 
analyzed. Of particular interest is the assumption that 
Eve attaches independent probes to each qubit and mea- 
sures her probes one after the other. This class of attacks 
is called individual attacks, also known as incohere nt at- 
tacks. Th is important class is analyzed in sections VI D 



and VIE, Two other classes of eavesdropping strate- 
gies let Eve process several qubits coherently, hence the 
name of coherent attacks. The most general coherent at- 



physics might be. 



Optical isolators, based on the Faraday effect, let light pass 
through only in one direction. 



36 



tacks are called joint attacks, while an intermediate class 
assumes that Eve attaches one probe per qubit, like in 
individual attacks, but can measure several probes coher- 
ently, like in coherent attacks. This intermediate class is 
called collective attacks. It is not known whether this 
class is less efhcient than the most general joint one. It is 
also not known whether it is more efficient than the sim- 
pler individual attacks. Actually, it is not even known 
whether joint attacks are more efhcient than individual 
ones! 

For joint and collective attacks, the usual assumption 
is that Eve measures her probe only after Alice and Bob 
have completed all their public discussion about bases 
reconciliation, error correction and privacy amplification. 
But for the more realistic individual attacks, one assumes 
that Eve waits only until the bases reconciliation phase 
of the public discussion^. The motivation for this is 
that one hardly sees what Eve could gain waiting for the 
public discussion on error correction and privacy ampli- 
fication before measuring her probes, since she is anyway 
going to measure them independently. 

Individual attacks have the nice feature that the prob- 
lem can be entirely translated into a classical one: Alice, 
Bob and Eve all have classical information in the form 
of random variables a, j3 an e, respectively, and the laws 
of quantum mechanics imposes constraints on the joint 
probability distribution P{a, (3, e). Such classical scenar- 
ios have been widely studied by the classical cryptology 
community and many results can thus be directly ap- 
plied. 



D. Simple individual attacks: intercept-resend, 
measurement in the intermediate basis 

The simplest attack for Eve consists in intercepting all 
photons individually, to measure them in a basis cho- 
sen randomly among the two bases used by Alice and to 
send new photons to Bob prep ared a ccording to her re- 
sult. As presented in paragraph [I C 3 and assuming that 
the BB84 protocol is used. Eve gets thus 0.5 bit of infor- 
mation per bit in the sifted key, for an induced QBER 
of 25%. Let us illustrate the general formalism on this 
simple example. Eve's mean information gain on Alice's 
bit, /(a,e), equals their relative entropy decrease: 



/(a, e) = Ha 



H, 



a posteriori 



(40) 



i.e. I{a,P) is the number of bits one can save writing a 
when knowing (3. Since the a priori probability for Alice's 
bit is uniform. Ha priori — 1- The a posteriori entropy 



*^With today's technology, it might even be fair to assume, 
in individual attacks, that Eve must measure her probe before 
the basis reconciliation. 



has to be averaged over all possible results r that Eve 
might get: 



H, 



a posteriori 



J2P{r)H{i\r) 



Hii\r) ^ -J2Pi^\r)\ogiP{i\r)) 



(41) 



(42) 



where the a posteriori probability of bit i given Eve's 
result r is given by Bayes's theorem: 



P{i\r) = 



P{r\i)P{i) 
P{r) 



(43) 



with P{r) = '^iP{A^)P {''')■ I'^ the case of intercept- 
resend. Eve gets one out of 4 possible results: r e {t, i 
, <—,—>}. After the basis has been revealed, Alice's input 
assumes one out of 2 values: i G {t, i} (assuming the t| 
basis was used, the other case is completely analogous). 
One gets P{i =t \r =T) = 1, P{i =T \r = \ and 

P{r) = i. Hence, /(a,e) = l^\h{l)~\h{\) = 1-i = \ 
(with h{p) =plog2(p) + {l-p) log2(l -p)). 

Another strategy for Eve, not more difficult to imple- 
ment, consists in measuring the photons in the inter- 
mediate basis (see Fig. g^, also known as the Brei- 
dbart basis (Bennett et al. 1992a). In this way the 
probability that Eve guesses the correct bit value is 
p — cos(7r/8)^ = i + « 0.854, corresponding to a 
QBER=2p(l — p) — 25% and Shannon information gain 
per bit of 



/ = 1 - H{p) w 0.399. 



(44) 



Consequently, this strategy is less advantageous for Eve 
than the intercept-resend one. Note however, that with 
this strategy Eve's probability to guess the correct bit 
value is 85.%, compared to only 75% in the intercept- 
resend case. This is possible because in the latter case 
Eve's information is deterministic in half the cases, while 
in the first one Eve's information is always probabilistic 
(formally this results from the convexity of the entropy 
function). 



E. Symmetric individual attacks 

In this section we present in some details how Eve 
could get a maximum Shannon information for a fixed 
QBER, assuming a perfect single qubit source and re- 
stricting Eve to attacks on one qubit after the other (i.e. 
individual attacks). The motivation is that this ideal- 
ized situation is rather easy to treat and nicely illustrates 
several of the subtleties of the subject. Here we concen- 
trate on the BB84 4-state protocol, for related results on 
the 2-state and the 6-state protocols see Fuchs and Peres 
(1996) and Bechmann-Pasquinucci and Gisin (1999), re- 
spectively. 



37 



The general idea of eavesdropping on a quantum chan- 
nel goes as follows. When a qubit propagates from Al- 
ice to Bob, Eve can let a system of her choice, called a 
probe, interact with the qubit (see Fig. ^8|). She can 
freely choose the probe and its initial state, but it has to 
be a system satisfying the quantum rules (i.e. described 
in some Hilbert space). Eve can also choose the interac- 
tion, but it should be independent of the qubit state and 
she should follow the laws of quantum mechanics, i.e. her 
interaction is described by a unitary operator. After the 
interaction a qubit has to go to Bob (in section VI H wc 



f/U,o) = U)®0x-HT)®ei 



(48) 



consider lossy channels, so that Bob does not always ex- 
pect a qubit, a fact that Eve can take advantage of). It 
makes no difference whether this qubit is the original one 
(possibly in a modified state) or not. Actually the ques- 
tion does not even make sense since a qubit is nothing 
but a qubit! But in the formalism it is convenient to use 
the same Hilbert space for the qubit sent by Alice and 
that received by Bob (this is no loss of generality, since 
the swap operator - defined by i/" <8i </> ^ </> (g) for all ip^cj) 
- is unitary and could be appended to Eve's interaction). 

Let TiEve and C^^^Hevc be the Hilbert spaces of Eve's 
probe and of the total qubit -|-probe system, respectively. 
If |m), |0) and U denote the qubit and the probe's initial 
states and the unitary interaction, respectively, then the 
state of the qubit received by Bob is given by the density 
matrix obtained by tracing out Eve's probe: 



PBobim) ^ Trn^^^AU\m,0){rh,0\U^). 



(45) 



The symmetry of the BB84 protocol makes it very nat- 
ural to assume that Bob's state is related to Alice's |m) 
by a simple shrinking factor^ ij e [0, 1] (see Fig. p9| ): 



PBobirh) 



•qma 



(46) 



Eavesdroppings that satisfy the above condition are 
called symmetric attacks. 

Since the qubit state space is 2-dimensional, the uni- 
tary operator is entirely determined by its action on two 
states, for example the | t) and | [) states (in this section 
we use spin i notations for the qubits). It is convenient 
to write the states after the unitary interaction in the 
Schmidt form (Peres 1997): 



c^lT,o) = |T)®0T + U>®^T 



(47) 



Chris Fuchs and Asher Peres were the first ones to derive 
the result presented in this section, using numerical optimiza- 
tion. Almost simultaneously Robert Griffiths and his stu- 
dent Chi-Sheng Niu derived it under very general conditions 
and Nicolas Gisin using the symmetry argument used here. 
These 5 authors joined efforts in a common paper (Fuchs et 
al. 1997). The result of this section is thus also valid without 
this symmetry assumption. 



where the 4 states (/)|, 9^ and 6i belong to Eve's probe 
Hilbert space TiEve and satisfy (j)^ _L 9-[ and (j)^ _L O^. 
By symmetry |<^||2 = |0J2 = j: ]^q^]2 ^ |^j2 ^ -j^ 

Unitarity imposes T + T) = 1 and 



(0T|ei) + (%|</)i)-O. 



(49) 



The (/)'s correspond to Eve's state when Bob gets the 
qubit undisturbed, while the 0's are Eve's state when 
the qubit is disturbed. 

Let us emphasize that this is the most general unitary 
interaction satisfying (^6|). One finds that the shrinking 
factor is given by: rj = J- — T). Accordingly, if Alice 
sends | t) and Bob measures in the compatible basis, 
then (t \pBob{rn)\ T) = T \s the probability that Bob 
gets the correct result. Hence T is the fidelity and V the 
QBER. 

Note that only 4 states span Eve's relevant state space. 
Hence, Eve's effective Hilbert space is at most of dimen- 
sion 4, no matter how subtle she mig ht be0! This greatly 
simplifies the analysis. 

The symmetry imposes that the attack on the other 
basis satisfies: 



T,o) + U,o) 
(I T>®0T + U>®' 



V2 



])®0i) 



where 



(0T + e^ + c^i + %) 
(01 -e^-^i + %) 



Similarly, 



9t + 



(50) 

(51) 

(52) 
(53) 



(54) 
(55) 

(56) 
(57) 



Condition ( p6| ) for the {| ^), | ^)} basis implies: 9^ _L 
(f)^ and 9^ _L cj)^. By proper choice of the phases, 



((/)||0|) can be made real. By condition 
then also real. Symmetry implies then 



IS 

5R. 



Actually, Niu and Griffiths (1999) showed that 2- 
dimensional probes suffice for Eve to get as much information 
as with the strategy presented here, though in their case the 
attack is not symmetric (one basis is more disturbed than the 
other). 



38 



A straightforward computation concludes that all scalar 
products among Eve's states are real and that the cj)'s 
generate a subspace orthogonal to the 6''s: 



(</>T|0i) = ((/)J%)=O. 



(58) 



Finally, using = i.e. that the shrinking is the 

same for all states, one obtains a relation between the 
probe states' overlaps and the fidelity: 



1 



(0Tl0i> + (eTl^i> 



(59) 



where the hats denote normalized states, e.g. 0| = ■^=. 

Consequently, the entire class of symmetric individual 
attacks depends only on 2 real parameters]^ cos(x) = 

and cos(y)= (^tl^i)! 
Thanks to the symmetry, it suffices to analyze this 
scenario for the case that Alice sends the | t) state and 
Bob measures in the {T,i} basis (if not, Alice, Bob and 
Eve disregard the data). Since Eve knows the basis, she 
knows that her probe is in one of the following two mixed 
states: 



PB.e(T) -^-P(0t)+2'^'(%) 



(60) 
(61) 



An optimum measurement strategy for Eve to distinguish 
between p_E«e(T) and PEveii) consists in first distinguish- 
ing whether her state is in the subspace generated by 0| 
and or the one generated by 9^ and 9i. This is pos- 
sible, since the two subspaces are mutually orthogonal. 
Eve has then to distinguish between two pure states, ei- 
ther with overlap cos(a::), or with overlap cos(y). The first 
alternative happens with probability JF, the second one 
with probability V. The optimal measurement distin- 
guishing two states with overlap cos(x) is known to pro- 
vide Eve with the correct guess with probability 
(Peres 1997). Eve's maximal Shannon information, at- 
tained when she does the optimal measurements, is thus 
given by: 



\ T I ^ , .1 + sin(x) 
/(a, e)=T - [1- h{ ) 



(62) 
(63) 



^■^Interestingly, when the symmetry is extended to a third 
maximally co njugat ed basis, as natural in the 6-state protocol 
of paragraph [ID 2, then the number of parameters reduces 



to one. This parameter measures the relative quality of Bob's 
and Eve's "copy" of the qubit send by Alice. When both 
copies are of equal q ualit y, one recovers the optimal cloning 
presented in section 11 F (Bechmann-Pasquinucci and Gisin 
1999). 



where h{p) = — plog2(p) — (1—) log2(l — p). For a given 
error rate V, this information is maximal when x = y. 



Consequently, for V 



1— cos(a;) 



one has: 



/— (a,e) = l-M^i^^)• 



(64) 



This provides the explicit and analytic optimum eaves- 
dropping strategy. For x = the QBER (i.e. V) and 
the information gain are zero. For x — 7t/2 the QBER 
is i and the information gain 1. For small QBERs, the 
information gain grows linearly: 



/'°"'^(a,e) 



ln(2) 



V + 0{Vf w 2.9 V 



(65) 



Once Alice, Bob and Eve have measured their quantum 
systems, they are left with classical random variables a, /3 
and e, respectively. Secret key agreement between Alice 
and Bob is then possible using only error correction and 
privacy amplification if and only if the Alice-Bob mutual 
Shannon information /(a, (3) is larger than the Alice-Eve 
or the Bob-Eve mutual information^, I(a, /3) > /(a, e) 
or I{a,f3) > I{P,e). It is thus interesting to compare 
Eve's maximal information ( |6^ ) with Bob's Shannon in- 
formation. The latter depends only on the error rate V: 



I(a,l3) 



h(V) 



(l-I?)log2(l-I?) 



(66) 
(67) 



Bob's and Eve's information are plotted on Fig. As 
expected, for low error rates T), Bob's information is 
larger. But, more errors provide Eve with more infor- 
mation, while Bob's information gets lower. Hence, both 
information curves cross at a specific error rate 'Dq: 



V = Vo 



1-1/V2 



15% 
(68) 



Consequently, the security criteria against individual at- 
tacks for the BB84 protocol reads: 



B-B84 secure 



V<Vn = 



1-1/^2 



(69) 



For QBERs larger than Vq no (one-way communica- 
tion) error correction and privacy amplification protocol 
can provide Alice and Bob with a secret key immune 
against any individual attacks. 



^•^Note, however, that if this condition is not satisfied, other 
protocols might sometimes be used, see paragraph 



lie 



These protocols are significantly less efficient and are usu- 
ally not considered as part of "standard" QC. Note also that 
in the scenario analysed in this section I{l3, e) — I {a, e). 



39 



Let us mention that more general cl assica l protocols, 
called advantage distillation (paragraph II C 5| ), using two 
way communication, exist. These can guarantee secrecy 
if and only if Eve's intervention does not disentangle Al- 
ice and Bob's qubits (assuming they use the Ekert ver- 
sion of the BB84 protocol) (Gisin and Wolf 2000). If 
Eve optimizes her Shannon information, as discussed in 
this section, this disentanglement-limit corresponds to a 
QBER== 1 - l/^/2 w 30% (Gisin and Wolf 1999). But, 
using more brutal strategies, Eve can disentangled Alice 
and Bob aheady for a QBER of 25%, see Fig. |o[ The 
latter is thus the absolute upper limit, taking into ac- 
count the most general secret-key protocols. In practice, 
the limit (^8|) is more realistic, since advantage distilla- 
tion algorithms are much less efficient than the classical 
privacy amplification ones. 



F. Connection to Bell inequality 

There is an intriguing connection between the above 
tight bound (|6^) and the CHSH form of Bell inequality 
(Bell 1964, Clauser et al. 1969, Clauser and Shimony 
1978, Zeilinger 1999): 

S = E{a, b) + E{a, b') + E{a' , h) ~ E{a', b') < 2 (70) 

where E{a, b) is the correlation between Alice and Bob's 
data when measuring (Tq®! and l(8)tT;,, where a a denotes 
an observable with eigenvalues ±1 parameterized by the 
label a. Recall that Bell inequalities are necessarily sat- 
isfied by all local models, but are violated by quantum 
mechanicg|^. To establish this connection, assume that 
the same quantum channel is used to test Bell inequality. 
It is well-known that for error free channels, a maximal 
violation by a factor \/2 is achievable: Smax — 2\/2 > 2. 
However, if the channel is imperfect, or equivalently if 
some perturbator Eve acts on the channel, then the quan- 
tum correlation i?(a, b\D) is reduced, 

E{a,b\V)=T-E{a,b)-V-E{a,b) (71) 
= {1-2V) ■ E{a,b) (72) 

where E{a, b) denote the correlation for the unperturbed 
channel. The achievable amount of violation is then re- 
duced to SmaxCD) = (1 — 2I?)2V2 and for large pertur- 
bations no violation at all can be achieved. Interestingly, 
the critical perturbation V up to which a violation can 
be observed is precisely the same Vq as the limit derived 
in the previous section for the security of the BB84 pro- 
tocol: 



1-1/V2 



(73) 



This is a surprising and appealing connection between 
the security of QC and tests of quantum nonlocality. 
One could argue that this connection is quite natural, 
since, if Bell inequality were not violated, then quantum 
mechanics would be incomplete and no secure commu- 
nication could be based on such an incomplete theory. 
In some sense. Eve's information is like probabilistic lo- 
cal hidden variables. However, the connection between 
( |69| ) and (^3|) has not been generalized to other protocols. 
A complete picture of these connections is thus not yet 
available. 

Let us emphasize that nonlocality plays no direct role 
in QC. Indeed, generally, Alice is in the absolute past 
of Bob. Nevertheless, Bell inequality can be violated as 
well by space like separated events as by time like sep- 
arated events. However, the independence assumption 
necessary to derive Bell inequality is justified by locality 
considerations only for space-like separated events. 



G. Ultimate security proofs 

The security proof of QC with perfect apparatuses and 
a noise-free channel is straightforward. However, the fact 
that security can still be proven for imperfect apparatuses 
and noisy channels is far from obvious. Clearly, some- 
thing has to be assumed about the apparatuses. In this 
section we simply make the hypothesis that they are per- 
fect. For the channel which is not under Alice and Bob's 
control, however, nothing is assumed. The question is 
then: up to which QBER can Alice and Bob apply er- 
ror correction and privacy amplification to their classical 
bits? In the previous sections we found that the threshold 
is close to a QBER of 15%, assuming individual attacks. 
But in principle Eve could manipulate several qubits co- 
herently. How much help to Eve this possibility provides 
is still unknown, though some bounds are known. Al- 
ready in 1996, Dominic Mayers (1996b) presented the 
main ideas on how to prove securityp^ In 1998, two ma- 
jor papers were made public on the Los Alamos archives 
(Mayers 1998, and Lo and Chau 1999). Nowadays, these 
proofs are generally considered as valid, thanks - among 



^''Let us stress that the CHSH-Bell inequality is the strongest 
possible for two qubits. Indeed, this inequality is violated if 
and only if the correlation can't be reproduced by a local 
hidden variable model (Pitowski 1989). 



^^I (NG) vividly remember the 1996 ISI workshop in Torino, 
sponsored by Elsag-Bailey, were I ended my talk stressing the 
importance of security proofs. Dominic Mayers stood up, gave 
some explanation, and wrote a formula on a transparency, 
claiming that this was the result of his proof. I think it is 
fair to say that no one in the audience understood Mayers' 
explanation. But I kept the transparency and it contains the 
basic eq. (j?^) (up to a factor 2, which corresponds to an 
improvement of Mayers result obtained in 2000 by Shor and 
Preskill, using also ideas from Lo and Chau)! 



40 



others - to the works of P. Shor and J. Preskill (2000), 
H. Inamori et al. (2001) and of E. Biham et al. (1999). 
But it is worth noting that during the first years after 
the first disclosure of these proofs, essentially nobody in 
the community understood them! 

Here we shall present the argument in a form quite 
different from the original proofs. Our presentation aims 
at being transparent in the sense that it rests on two 
theorems. The proofs of the theorems are hard and will 
be omitted. However, their claims are easy to understand 
and rather intuitive. Once one accepts the theorems, the 
security proof is rather straightforward. 

The general idea is that at some point Alice, Bob and 
Eve perform measurements on their quantum systems. 
The outcomes provide them with classical random vari- 
ables a, P and e, respectively, with P{a, f3, e) the joint 
probability distribution. The first theorem, a standard 
of classical information based cryptography, states nec- 
essary and sufficient condition on P(a,/3, e) for the pos- 
sibility that Alice and Bob extract a secret key from 
P{a,P,e) (Csiszar and Korner 1978). The second the- 
orem is a clever version of Heisenberg's uncertainty re- 
lation expressed in terms of available information (Hall 
1995): it sets a bound on the sum of the information 
available to Bob and to Eve on Alice's key. 

Theorem 1. For a given P{a,(3,e), Alice and Bob 
can establish a secret key (using only error correc- 
tion and classical privacy amplification) if and only if 
I{a,(3) > I{a,e) or /(a,/3) > /(/3,e), where I{a,(3) ^ 
H{a) — H{a\(3) denotes the mutual information, with H 
the Shannon entropy. 

Theorem 2. Let E and B be two observables in an N 
dimensional Hilbert space. Denote e, /3, |e) and \/3) the 
corresponding eigenvalues and eigenvectors, respectively, 
and let c — maxe^^{|(e|/3) |}. Then 



/(a,e)+/(a,/3) <21og2(iVc), 



(74) 



where I{a,e) = H{a) - H{a\e) and /(a,/3) = H{a) - 
H{a\(i) are the entropy differences corresponding to the 
probability distribution of the eigenvalues a prior to and 
deduced from any measurement by Eve and Bob, respec- 
tively. 

The first theorem states that Bob must have more in- 
formation on Alice's bits than Eve (see Fig. |l|). Since 
error correction and privacy amplification can be imple- 
mented using only 1-way communication, theorem 1 can 
be understood intuitively as follows. The initial situa- 
tion is depicted in a). During the public phase of the 
protocol, because of the 1-way communication. Eve re- 
ceives as much information as Bob, the initial information 
difference 5 thus remains. After error correction, Bob's 
information equals 1, as illustrated on b). After privacy 
amplification Eve's information is zero. In c) Bob has re- 
placed all bits to be disregarded by random bits. Hence 
the key has still the original length, but his information 
has decreased. Finally, removing the random bits, the 
key is shortened to the initial information difference, see 



d). Bob has full information on this final key, while Eve 
has none. 

The second theorem states that if Eve performs a mea- 
surement providing her with some information /(a, e), 
then, because of the perturbation, Bob's information is 
necessarily limited. Using these two theorems, the ar- 
gument now runs as follows. Suppose Alice sends out 
a large number of qubits and that n where received by 
Bob in the correct basis. The relevant Hilbert space's 
dimension is thus iV = 2". Let us re-label the bases used 
for each of the n qubits such that Alice used n times 
the x-basis. Hence, Bob's observable is the n-time ten- 
sor product Gx ® ■■■ ® (Jx- By symmetry. Eve's optimal 
information on the correct bases is precisely the same as 
her optimal information on the incorrect ones (Mayers 
1998). Hence one can bound her information assuming 
she measures Uz ® ■■■ ® (Jz- Accordingly, c — 2^"/^ and 
theorem 2 implies: 



/(a,e)-f/(a,/?)<21og2(2"2-"/2) 



(75) 



That is, the sum of Eve's and Bob's information per 
qubit is smaller or equal to 1. This is quite an intu- 
itive result: together. Eve and Bob cannot get more 
information than sent out by Alice! Next, combining 
the bound ( |75| ) with theorem 1, one deduces that a se- 
cret key is achievable whenever /(a,/?) > n/2. Using 
/(a,/3) = n(l-I?log2(I?)-(l-P)log2(l-P)) one 
obtains the sufhcient condition on the error rate V (i.e. 
the QBER): 



{l-V)\og^{l-V)<- 



(76) 



i.e. V < 11%. 

This bound, QBER<11%, is precisely that obtained 
in Mayers proof (after improvement by P. Shor and J. 
Preskill (2000)). The above proof is, strickly speaking, 
only valid if the key is much longer than the number of 
qubits that Eve attacks coherently, so that the Shannon 
informations we used represent averages over many in- 
dependent realisations of classical random variables. In 
other words, assuming that Eve can attack coherently a 
large but finite number no of qubits, Alice and Bob can 
use the above proof to secure keys much longer than no 
bits. If one assumes that Eve has an unlimited power, 
able to attack coherently any number of qubits, then the 
above proof does not apply, but Mayer's proof can still 
be used and provides precisely the same bound. 

This 11% bound for coherent attacks is clearly com- 
patible with the 15% bound found for individual attacks. 
The 15% bound is also a necessary one, since an explicit 
eavesdropping strategy reaching this bound is presented 
in section VIE. It is not known what happens in the 



intermediate range 11% < QBER < 15%, but the fol- 
lowing is plausible. If Eve is limited to coherent attacks 
on a finite number of qubits, then in the limit of arbi- 
trarily long keys, she has a negligibly small probability 
that the bits combined by Alice and Bob during the error 



41 



correction and privacy amplification protocols originate 
from qubits attacked coherently. Consequently, the 15% 
bound would still be valid (partial results in favor of this 
conjecture can be found in Cirac and Gisin 1997, and 
in Bechmann-Pasquinucci and Gisin 1999). However, if 
Eve has unlimited power, in particular, if she can coher- 
ently attack an unlimited number of qubits, then the 11% 
bound might be required. 

To conclude this section, let us stress that the above 
security pr oof eq ually applies to the 6-state protocol 
(paragraph II D 2 ) . It also extends straightforwardly to 
protocols using larger alphabets (Bechmann-Pasquinucci 
and Tittel 2000, Bechmann-Pasquinucci and Peres 2000, 
Bourennane et al. 2001a, Bourennane et al. 2001b). 



H. Photon number measurements, lossless channels 



In section III A we saw that all real photon sources 
have a finite probability to emit more than 1 photon. If 
all emitted photons encode the same qubit, Eve can take 
advantage of this. In principle, she can first measure 
the number of photons in each pulse, without disturbing 
the degree of freedom encoding the qubitsQ. Such mea- 
surements are sometimes called Quantum Non Demoli- 
tion (QND) measurements, because they do not perturb 
the qubit, in particular they do not destroy the photons. 
This is possible because Eve knows in advance that Al- 
ice sends a mixture of state s with well defined photon 
numbers^, (see section OF). Next, if Eve finds more 
than one photon, she keeps one and sends the other(s) 
to Bob. In order to prevent that Bob detects a lower 
qubit rate, Eve must use a channel with lower losses. Us- 
ing an ideally lossless quantum channel. Eve can even, 
under certain conditions, keep one photon and increase 
the probability that pulses with more than one photon 
get to Bob! Thirdly, when Eve finds one photon, she 
may destroy it with a certain probability, such that she 
does not affect the total number of qubits received by 
Bob. Consequently, if the probability that a non-empty 
pulse has more than one photon (on Alice's side) is larger 
than the probability that a non-empty pulse is detected 



by Bob, then Eve can get full information without intro- 
ducing any perturbation! This is possible only when the 
QC protocol is not perfectly implemented, but this is a 
realistic situation (Huttner et al. 1995, Yuen 1997). 

The QND atacks have recently received a lot of at- 
tention (Liitkenhaus 2000, Brassard et al. 2000). The 
debate is not yet settled. We would like to argue that 
it might be unrealistic, or even unphysical, to assume 
that Eve can perform ideal QND attacks. Indeed, first 
she needs the capacity to perform QND photon number 
measurements. Although impossible with today's tech- 
nology, this is a reasonable assumption (Nogues et al. 
1999). Next, she should be able to keep her photon until 
Alice and Bob reveal the basis. In principle this could 
be achieved using a lossless channel in a loop. We dis- 
cuss this eventuality below. Another possibility would 
be that Eve maps her photon to a quantum memory. 
This does not exist today, but might well exist in the 
future. Note that the quantum memory should have es- 
sentially unlimited time, since Alice and Bob could easily 
wait for minutes before revealing the basesQ. Finally, 
Eve must access a lossless channel, or at least a chan- 
nel with losses lower than that used by Alice and Bob. 
This might be the most tricky point. Indeed, besides 
using a shorter channel, what can Eve do? The tele- 
com fibers are already at the physical limits of what can 
be achieved (Thomas et al. 2000). The loss is almost 
entirely due to the Rayleigh scattering which is unavoid- 
able: solve the Schrodinger equation in a medium with 
inhomogeneities and you get scattering. And when the 
inhomogeneities are due to the molecular stucture of the 
medium, it is difficult to imagine lossless fibers! The 0.18 
dB/km attenuation in silica fibers at 1550 nm is a lower 
bound which is based on physics, not on technology^. 
Note that using the air is not a viable solution, since the 
attenuation at the telecom wavelengths is rather high. 
Vacuum, the only way to avoid Rayleigh scattering, has 
also limitations, due to diffraction, again an unavoidable 
physical phenomenon. In the end, it seems that Eve has 
only two possibilities left. Either she uses teleportation 
(with extremely high success probability and fidelity) or 



For polarization coding, this is quite clear. But for phase 
coding one may think (incorrectly) that phase and photon 
number are incompatible! However, the phase used for en- 
coding is a relative phase between two modes. Whether these 
modes are polarization modes or correspond to different times 
(determined e.g. by the relative length of interferometers), 
does not matter. 

^'^Recall that a mixture of coherent states |e"^a) with a 
random phase as produced by lasers when no phase ref- 
erence in available, is equal to a mixture of photon num- 
ber states |n) with Poisson statistics: \e^'^a){e"^a\^ — 

T,n>o ^e""|n)(^^l- where fi = \a\^ . 



The quantum part of the protocol could run continuously, 
storing large ammount of raw classical data. But the classical 
part of the protocol, processing these raw data, could take 
place just seconds before the key is used. 

^^Photonics crystal fibers have the potential to overcome 
the Rayleigh scaterring limit. Actually, there are two kinds 
of such fibers. The first kind guides light by total internal 
reflection, like in ordinary fibers. In these most of the light 
also propagates in silica, and thus the loss limit is similar. In 
the second kind, most of the light propagates in air, thus the 
theoretical loss limit is lower. However, today the losses are 
extremely high, in the range of hundreds of dB/km. The best 
reported result that we are aware of is 11 dB/km and it was 
obtained with a flber of the first kind (Canning et al. 2000). 



42 



she converts the photons to another wavelength (with- 
out perturbing the qubit). Both of these "solutions" are 
seemingly unrealistic in any foreseeable future. 

Consequently, when considering the type of attacks 
discussed in this section, it is essential to distinguish the 
ultimate proofs from the practical ones discussed in the 
first part of this chapter. Indeed, the assumptions about 
the defects of Alice and Bob's apparatuses must be very 
specific and might thus be of limited interest. While for 
practical considerations, these assumptions must be very 
general and might thus be excessive. 



I. A realistic beamsplitter attack 

The attack presented in the previous section takes ad- 
vantage of the pulses containing more than one photon. 
However, as discussed, it uses unrealistic assumptions. 
In this section, following N. Liitkenhaus (2000) and M. 
Dusek et al (2000), we briefly comment on a realistic at- 
tack, also exploiting the multiphoton pulses (for details, 
see Felix et al. 2001, where this and another examples 
are presented). Assume that Eve splits all pulses in two, 
analysing each half in one of the two bases, using pho- 
ton counting devices able to distinguish pulses with 0, 
1 and 2 photons (see Fig. |3|). In practice this could 
be realized using many single photon counters in paral- 
lel. This requires nearly perfect detectors, but at least 
one does not need to assume technology completely out 
of today's realm. Whenever Eve detects two photons 
in the same output, she sends a photon in the corre- 
sponding state into Bob's apparatus. Since Eve's infor- 
mation is classical, she can overcome all the losses of the 
quantum channel. In all other cases. Eve sends noth- 
ing to Bob. In this way. Eve sends a fraction 3/8 of the 
pulses containing at least 2 photons to Bob. On these, 
she introduces a QBER=l/6 and gets an information 
I{A, £:) = 2/3 = 4 • QBER. Bob doesn't see any re- 
duction in the number of detected photons, provided the 
transmission coefficient of the quantum channel t satis- 
fies: 



t < -Prob(n > 2|n > 1) w — 
- 8 V - I - ; 



(77) 



where the last expression assumes Poissonian photon dis- 
tribution. Accordingly, for a fixed QBER, this attacks 
provides Eve with twice the information she would get 
using the intercept resend strategy. To counter such an 
attack, Alice should use a mean photon number such 
that Eve can only use this attack on a fraction of the 
pulses. For example, Alice could use pulses weak enough 
that Eve's mean information gain is identical to the one 
she would obtain wi th the simple intercept resend strat- 
egy (see paragraph [I C 3 ). For 10, 14 and 20 dB at- 
tenuation, this corresponds to fj, — 0.25, 0.1 and 0.025, 
respectively. 



J. Multi-photon pulses and passive choice of states 

Multi-photon pulses do not necessarily constitute a 
threat for the key security, but limit the key creation 
rate because they imply that more bits must be discarded 
during key distillation. This fact is based on the assump- 
tion that all photons in a pulse carry the same qubit, so 
that Eve does not need to copy the qubit going to Bob, 
but merely keeps the copy that Alice inadvertently pro- 
vides. When using weak pulses, it seems unavoidable 
that all the photons in a pulse carry the same qubit. 
However, in 2-photon implementations, each photon on 
Alice's side chooses independently a state (in the experi- 
ments of Ribordy et al. 2001 and Tittel et al. 2000, each 
photon chooses randomly both its basis and its bit value; 
in the experiments of Naik et al. 2000 and Jennewein et 
al. 2000b, the bit value choice only is random). Hence, 
when two photon pairs are simultaneously produced, by 
accident, the two twins carry independent qubits. Con- 
sequently, Eve can't take advantage of such multi-photon 
twin-pulses. This might be one of the main advantages 
of the 2-photon schemes compared to the much simpler 
weak-pulse schemes. But the multi-photon problem is 
then on Bob's side who gets a noisy signal, consisting 
partly in photons not in Alice's state! 



K. Trojan Horse Attacks 

All eavesdropping strategies discussed up to now con- 
sisted of Eve's attempt to get a maximum information 
out of the qubits exchanged by Alice and Bob. But Eve 
can also follow a completely different strategy: she can 
herself send signals that enter Alice and Bob's offices 
through the quantum channel. This kind of strategies 
are called Trojan horse attacks. For example. Eve can 
send light pulses into the fiber entering Alice or Bob ap- 
paratuses and analyze the backreflected light. In this 
way, it is in principle possible to detect which laser just 
flashed, or which detector just fired, or the settings of 
phase and polarization modulators. This cannot be sim- 
ply prevented by using a shutter, since Alice and Bob 
must leave the "door open" for the photons to go out 
and in, respectively. 

In most QC-setups the amount of backreflected light 
can be made very small and sensing the apparatuses with 
light pulses through the quantum channel is difficult. 
Nevertheless, this attack is especially thre atening in the 
plug-&-play scheme on Alice's side (section [ V C 2| ) , 
a mirror is used to send the light pulses 



since 
jack to Bob. 

So in principle, Eve can send strong light pulses to Alice 
and sense the applied phase shift. However, by applying 
the phase shift only during a short time Atphaseis- few 
nanoseconds), Alice can oblige Eve to send the spying 
pulse at the same time as Bob. Remember that in the 
plug-&-play scheme pulse coming from Bob are macro- 
scopic and an attenuator at Alice reduces them to the 



43 



below one photon level, say 0.1 photons per pulse. Hence, 
if Eve wants to get, say 1 photon per pulse, she has to 
send 10 times Bob's pulse energy. Since Alice is detect- 
ing Bob's pulses for triggering her apparatus, she must 
be able to detect an increase of energy of these pulses 
in order to reveal the presence of a spying pulse. This 
is a relatively easy task, provided that Eve's pulses look 
the same as Bob's. But, Eve could of course use another 
wavelength or ultrashort pulses (or very long pulses with 
low intensity, hence the importance of Atphase), there- 
fore Alice must introduce an optical bandpass filter with 
a transmission spectrum corresponding to the sensitivity 
spectrum of her detector, and choose a Atphase that fits 
to the bandwidth of her detector. 

There is no doubt that Trojan horse attacks can be 
prevented by technical measures. However, the fact that 
this class of attacks exist illustrates that the security of 
QC can never be guaranteed only by the principles of 
quantum mechanics, but necessarily relies also on tech- 
nical measures that are subject to discussions ^ 



L. Real security: technology, cost and complexity 

Despite the elegant and generality of security proofs, 
the dream of a QC system whose security relies entirely 
on quantum principles is unrealistic. The technological 
implementation of the abstract principles will always be 
questionable. It is likely that they will remain the weak- 
est point in all systems. Moreover, one should remember 
the obvious equation: 



Infinite security 



Infinite cost (78) 
Zero practical interest 



On the other hand, however, one should not under- 
estimate the following two advantages of QC. First, it 
is much easier to forecast progress in technology than in 
mathematics: the danger that QC breaks down overnight 
is negligible, contrary to public-key cryptosystems. Next, 
the security of QC depends on the technological level of 
the adversary at the time of the key exchange, contrary 
to complexity based systems whose coded message can 
be registered and broken thanks to future progress. The 
latter point is relevant for secrets whose value last many 
years. 

One often points at the low bit rate as one of the cur- 
rent limitations of QC. However, it is important to stress 
that QC must not necessarily be used in conjunction with 
one-time pad encryption. It can also be used to provide 
a key for a symmetrical cipher - such as AES - whose 
security is greatly enhanced by frequent key changes. 



To conclude this chapter, let us briefly elaborate on 
the differences and similarities between technological and 
mathematical complexity and on their possible connec- 
tions and implications. Mathematical complexity means 
that the number of steps needed to run complex algo- 
rithms explodes exponentially when the size of the input 
data grows linearly. Similarly, one can define technolog- 
ical complexity of a quantum computer by an exploding 
difficulty to process coherently all the qubits necessary 
to run a (non-complex) algorithm on a linearly growing 
number of input data. It might be interesting to con- 
sider the possibility that the relation between these two 
concepts of complexity is deeper. It could be that the 
solution of a problem requires either a complex classi- 
cal algorithm or a quantum one which itself requires a 
complex quantum computer^. 



VII. CONCLUSION 

Quantum cryptography is a fascinating illustration of 
the dialog between basic and applied physics. It is based 
on a beautiful combinations of concepts from quantum 
physics and information theory and made possible thanks 
to the tremendous progress in quantum optics and in the 
technology of optical fibers and of free space optical com- 
munication. Its security principle relies on deep theorems 
in classical information theory and on a profound under- 
standing of the Heisenberg's uncertainty principle, as il- 
lustrated by theorems 1 and 2 in section VI G (the only 
mathematically involved theorems in this review!). Let 
us also emphasize the important contributions of QC to 
classical cryptography: privacy am plificat ion and cl assi- 
cal bound information (paragraphs II C 4 and [I C 5 ) are 
examples of concepts in classical information whose dis- 
covery were much inspired by QC. Moreover, the fasci- 
nating tension between quantum physics and relativity, 
as illustrated by Bell's inequality, is not far away, as dis- 
cussed in section VI F. Now, despite the huge progress 



over the recent years, many open questions and techno- 
logical challenges remain. 

One technological challenge at present concerns im- 
proved detectors compatible with telecom fibers. Two 
other issues concern free space QC and quantum re- 
peaters. The first is presently the only way to realize 
QC over thousand s of k ilometers using near future tech- 
nology (see section IVE). The idea of quantum repeaters 
(section HI E ) is to encode the qubits in such a way that if 



the error rate is low, then errors can be detected and cor- 
rected entirely in the quantum domain. The hope is that 



^"Another technological loophole, recently pointed out by 
Kurtsiefer et at, is the possible information leakage caused 
by light emitted by APDs during their breakdown (2001). 



^^Penrose (1994) pushes these speculations even further, 
suggesting that spontaneous collapses stop quantum com- 
puters whenever they try to compute beyond a certain 
complexity. 



44 



such techniques could extend the range of quantum com- 
munication to essentially unlimited distances. Indeed, 
Hans Briegel, then at Innsbruck University (1998), and 
coworkers, showed that the number of additional qubits 
needed for quantum repeaters can be made smaller than 
the numbers of qubits needed to improved the fidelity of 
the quantum channel (Dur et al. 1999). One could thus 
overcome the decoherence problem. However, the main 
practical limitation is not decoherence but loss (most 
photons never get to Bob, but those which get there, 
exhibit high fidelity). 

On the open questions side, let us emphasize three 
main concerns. First, complete and realistic analyses 
of the security issues are still missing. Next, figures of 
merit to compare QC schemes based on different quan- 
tum systems (with different dimensions for example) are 
still awaited. Finally, the delicate question of how to 
test the apparatuses did not yet receive enough atten- 
tion. Indeed, a potential customer of quantum cryptog- 
raphy buys confidence and secrecy, two qualities hard to 
quantify. Interestingly, both of these issues have a con- 
nection with Bell inequality (see sections VI F and VI B| ). 
But, clearly, this connection can not be phrased in the old 
context of local hidden variables, but rather in the con- 
text of the security of tomorrows communications. Here, 
like in all the field of quantum information, old concepts 
are renewed by looking at them from a fresh perspective; 
let's exploit the quantum weirdness! 

QC could well be the first application of quantum me- 
chanics at the single quanta level. Experiments have 
demonstrated that keys can be exchanged over distances 
of a few tens of kilometers at rates at least of the order 
of a thousand bits per second. There is no doubt that 
the technology can be mastered and the question is not 
whether QC will find commercial applications, but when. 
Indeed, presently QC is still very limited in distance and 
in secret-bit rate. Moreover, public key systems occupy 
the market and, being pure software, are tremendously 
easier to manage. Every so often, the news is that some 
classical ciphersystem has been broken. This would be 
impossible with properly implemented QC. But this ap- 
parent strength of QC might turn out to be its weak 
point: the security agencies would equally be unable to 
break quantum cryptograms! 



ACKNOWLEDGMENTS 

Work supported by the Swiss FNRS and the European 
projects EQCSPOT and QUCOMM financed by the Swiss 
OPES. The authors would also like to thank Richard Hughes 
for providing Fig. |^, and acknowledge both referees, Charles 
H. Bennett and Paul G. Kwiat, for their very careful reading 
of the manuscript and their helpful remarks. 



REFERENCES 

Ardehah, M., H. F. Chau and H.-K. Lo, 1998, "Efficient 
Quantum Key Distribution", quant-ph/9803007. 

Aspect, A., J. Dalibard, and G. Roger, 1982, "Experimen- 
tal Test of Bell's Inequalities Using Time- Varying Analyzers" , 
Phys. Rev. Lett. 49, 1804-1807. 

Bechmann-Pasquinucci, H., and N. Gisin, 1999, "Incoher- 
ent and Coherent Eavesdropping in the 6-state Protocol of 
Quantum Cryptography", Phys. Rev. A 59, 4238-4248. 

Bechmann-Pasquinucci, H., and A. Peres, 2000, "Quantum 
cryptography with 3-state systems", Phys. Rev. Lett. 85, 
3313-3316. 

Bechmann-Pasquinucci, H., and W. Tittel, 2000, "Quan- 
tum cryptography using larger alphabets", Phys. Rev. A 61, 
062308-1. 

Bell, J.S., 1964, "On the problem of hidden variables in 
quantummechanics" , Review of Modern Phys. 38, 447-452; 
reprinted in "Speakable and unspeakable in quantum mechan- 
ics", Cambridge University Press, New- York 1987. 

Bennett, Ch.H., 1992, "Quantum cryptography using any 
two nonorthogonal states", Phys. Rev. Lett. 68, 3121-3124. 

Bennett, Ch.H. and G. Brassard, 1984, "Quantum cryptog- 
raphy; public key distribution and coin tossing". Int. conf. 
Computers, Systems & Signal Processing, Bangalore, India, 
December 10-12, 175-179. 

Bennett, Ch.H. and G. Brassard, 1985, "Quantum public 
key distribution system" , IBM Technical Disclosure Bulletin, 
28, 3153-3163. 

Bennett, Ch.H., G. Brassard and J.-M. Robert, 1988, "Pri- 
vacy amplification by public discussion" SIAM J. Comp. 17, 
210-229. 

Bennett, Ch.H., F. Bessette, G. Brassard, L. Salvail, and 
J. Smolin, 1992a, "Experimental Quantum Cryptography" , J. 
Cryptology 5, 3-28. 

Bennett, Ch.H., G. Brassard and Mermin N.D., 1992b, 
"Quantum cryptography without Bell's theorem" , Phys. Rev. 
Lett. 68, 557-559. 

Bennett, Ch.H., G. Brassard and A. Ekert, 1992c, "Quan- 
tum cryptography". Scientific Am. 267, 26-33 (int. ed.). 

Bennett, Ch.H., G. Brassard, C. Crepeau, R. Jozsa, A. 
Peres and W.K. Wootters, 1993, "Teleporting an unknown 
quantum state via dual classical and Einstein-Podolsky-Rosen 
channels", Phys. Rev. Lett. 70, 1895-1899. 

Bennett, Ch.H., G. Brassard, C. Crepeau, and U.M. Mau- 
rer, 1995, "Generalized privacy amplification", IEEE Trans. 
Information th., 41, 1915-1923. 

Berry, M.V., 1984, "Quantal phase factors accompanying 
adiabatic changes", Proc. Roy. Soc. Loud. A 392, 45-57. 

Bethune, D., and W. Risk, 2000, "An Autocompensating 
Fiber-Optic Quantum Cryptography System Based on Polar- 
ization Splitting of Light", IEEE J. Quantum Electron., 36, 
340-347. 

Biham, E. and T. Mor, 1997a, "Security of quantum cryp- 
tograophy against collective attacks", Phys. Rev. Lett. 78, 
2256-1159. 

Biham, E. and T. Mor, 1997b, "Bounds on Information and 
the Security of Quantum Cryptography", Phys. Rev. Lett. 
79, 4034-4037. 



45 



Biham, E., M. Boyer, P.O. Boykin, T. Mor and V. Roy- 
chowdhury, 1999, "A proof of the security of quantum key 
distribution" , quant-ph/9912053. 

Bourennane, M., F. Gibson, A. Karlsson, A. Hening, P. 
Jonsson, T. Tsegaye, D. Ljunggren, and E. Sundberg, 1999, 
"Experiments on long wavelength (1550nni) 'plug and play' 
quantum cryptograph}' systems', Opt. Express 4,383-387 

Bourennane, M., D. Ljunggren, A. Karlsson, P. Jonsson, A. 
Hening, and J. P. Ciscar, 2000, "Experimental long wavelength 
quantum cryptography: from single photon transmission to 
key extraction protocols", J. Mod. Optics 47, 563-579. 

Bourennane, M., A. Karlsson and G. Bjorn, 2001a, "Quan- 
tum Key Distribution using multilevel encoding" , Phys. Rev 
A 64, 012306. 

Bourennane, M., A. Karlsson, G. Bjorn, N. Gisin and N. 
Cerf, 2001b, "Quantum Key distribution using multilevel en- 
coding : security analysis", quant-ph/0106049. 

Braginsky, V.B. and F.Ya. Khalili, 1992, "Quantum Mea- 
surements", Cambridge University Press. 

Brassard, G., 1988, "Modern cryptology", Springer- Verlag, 
Lecture Notes in Computer Science, vol. 325. 

Brassard, G. and L. Salvail, 1993, "Secrete-key reconcilia^ 
tion by public discussion" In Advances in Cryptology, Euro- 
crypt '93 Proceedings. 

Brassard, G., C. Crepeau, D. Mayers and L. Salvail, 1998, 
"The Security of quantum bit commitment schemes", Pro- 
ceedings of Randomized Algorithms, Satellite Workshop of 
23rd International Symposium on Mathematical Foundations 
of Computer Science, Brno, Czech Republic, 13-15. 

Brassard, G., N. Liitkenhaus, T. Mor, and B.C. Sanders, 
2000, "Limitations on Practical Quantum Cryptography", 
Phys. Rev. Lett. 85, 1330-1333. 

Breguet, J., A. MuUer and N. Gisin, 1994, "Quantum cryp- 
tography with polarized photons in optical fibers: experimen- 
tal and practical limits", J. Modern optics 41, 2405-2412. 

Breguet, J. and N. Gisin, 1995, "New interferometer using 
a 3x3 coupler and Faraday mirrors", Optics Lett. 20, 1447- 
1449. 

Brcndcl, J., W. Dultz and W. Martienssen, 1995, "Geomet- 
ric phase in 2-photon interference experiments", Phys. rev. 
A 52, 2551-2556. 

Brendcl, J., N. Gisin, W. Tittel, and H. Zbindcn, 1999. 
"Pulsed Energy-Time Entangled Twin-Photon Source for 
Quantum Communication", Phys. Rev. Lett. 82 (12), 2594- 
2597. 

Briegel, H.-J., Dur W., J.I. Cirac, and P. ZoUer, 1998, 

"Quantum Repeaters: The Role of Imperfect Local Opera- 
tions in Quantum Communication", Phys. Rev. Lett. 81, 
5932-5935. 

Brouri, R., A. Beveratios, J.-P. Poizat, P. Grangier, 2000, 
"Photon antibunching in the fluorescence of individual colored 
centers in diamond", Opt. Lett. 25, 1294-1296. 

Brown, R.G.W. and M. Daniels, 1989, "Characterization 
of silicon avalanche photodiodes for photon correlation mea- 
surements. 3: Sub-Geiger operation", Applied Optics 28, 
4616-4621. 

Brown, R.G.W. , K. D. Ridley, and J. G. Rarity, 1986, 
"Characterization of silicon avalanche photodiodes for pho- 
ton correlation measurements. 1: Passive quenching". Ap- 
plied Optics 25, 4122-4126. 



Brown, R.G.W., R. Jones, J. G. Rarity, and Kevin D. Rid- 
ley, 1987, "Characterization of silicon avalanche photodiodes 
for photon correlation measurements. 2: Active quenching". 
Applied Optics 26, 2383-2389. 

Brunei, Ch., B. Lounis, Ph. Tamarat, and M. Orrit, 1999, 
"Triggered Source of Single Photons based on Controlled Sin- 
gle Molecule Fluorescence", Phys. Rev. Lett. 83, 2722-2725. 

Bruss, D., 1998, "Optimal eavesdropping in quantum cryp- 
tography with six states", Phys. Rev. Lett. 81, 3018-3021. 

Bruss, D., A. Ekert and C. Macchiavello, 1998, "Optimal 
universal quantum cloning and state estimation" , Phys. Rev. 
Lett. 81, 2598-2601. 

Buttler, W.T., R.J. Hughes, P.G. Kwiat, S. K. Lamoreaux, 
G.G. Luther, G.L. Morgan, J.E. Nordholt, C.G. Peterson, 
and C. Simmons, 1998, "Practical free-space quantum key 
distribution over 1 km", Phys. Rev. Lett. 81, 3283-3286. 

Buttler, W.T., R.J. Hughes, S.K. Lamoreaux, G.L. Mor- 
gan, J.E. Nordholt, and C.G. Peterson, 2000, "Daylight 
Quantum key distribution over 1.6 km", Phys. Rev. Lett, 
84, pp. 5652-5655. 

Buzek, V. and M. Hillery, 1996, "Quantum copying: Be- 
yond the no-cloning theorem", Phys. Rev. A 54, 1844-1852. 

Cancellieri, G., 1993, "Single- mode optical fiber measure- 
ment: characterization and sensing", Artech House, Boston 
& London. 

Canning, J., M. A. van Eijkelenborg, T. Ryan, M. Kris- 
tensen and K. Lyytikainen, 2000, "Complex mode coupling 
within air-silica structured optical fibers and applications". 
Optics Commun. 185, 321-324 

Cirac, J.I., and N. Gisin, 1997, "Coherent eavesdropping 
strategies for the 4- state quantum cryptography protocol", 
Phys. Lett. A 229, 1-7. 

Clarke, M., R.B., A. Chefles, S.M. Barnett and E. Riis, 
2000, "Experimental Demonstration of Optimal Unambigu- 
ous State Discrimination", Phys. Rev. A 63, 040305. 

Clauser, J.F., M.A. Horne, A. Shimony and R.A. Holt, 
1969, "Proposed experiment to test local hidden variable the- 
ories", Phys. Rev. Lett. 23, 880-884. 

Clauser, J.F. and A. Shimony, 1978, "Bell's theorem: ex- 
perimental tests and implications". Rep. Prog. Phys. 41, 
1881-1927. 

Cova, S., A. Lacaita, M. Ghioni. and G. Ripamonti, 1989, 
"High-accuracy picosecond characterization of gain-switched 
laser diodes". Optics Letters 14, 1341-1343. 

Cova, S., M. Ghioni, A. Lacaita, C. Samori, and F. Zappa, 
1996, "Avalanche photodiodes and quenching circuits for 
single-photon detection". Applied Optics 35(129), 1956-1976. 

Csiszar, I. and Korner, J., 1978, "Broadcast channels with 
confidential messages" , IEEE Transactions on Information 
Theory, Vol. IT-24, 339-348. 

De Martini, F., V. Mussi and F. Bovino, 2000, 
"Schroedinger cat states and optimum universal Quantum 
cloning by entangled parametric amplification" , Optics Com- 
mun. 179, 581-589. 

Desurvire, E., 1994, "The golden age of optical fiber am- 
pfifiers" , Phys. Today, Jan. 94, 20-27. 

Deutsch, D., "Quantum theory, the Church- Turing princi- 
ple and the universal quantum computer" , 1985, Proc. Royal 
Soc. London, Ser. A 400, 97-105. 



46 



Dcutsch, D., A. Ekcrt, R. Jozsa, C. Macchiavollo, S. 
Popcscu, and A. Sanpora, 1996, "Quantum privacy ampli- 
fication and the security of quantum cryptography over noisy 
channels", Phys. Rev. Lett. 77, 2818-2821; Erratum-ibid. 
80, (1998), 2022. 

Dieks, D., 1982, "Communication by EPR devices", Phys. 
Lett. A 92, 271-272. 

Diffie, W. and Hellman M.E., 1976, "New directions in 
cryptography", IEEE Trans, on Information Theory IT-22, 
pp 644-654. 

Dur, W., H.-,J. Bricgcl, J.I. Cirac, and P. Zollcr, 1999, 
"Quantum repeaters based on entanglement purification", 
Phys. Rev. A 59, 169-181 (see also ibid 60, 725-725). 

Dusek, M., M. Jahma, and N. Liitkenhaus, 2000, "Unam- 
biguous state discrimination in quantum cryptography with 
weak coherent states", Phys. Rev. A 62, 022306. 

Einstein, A., B. Podolsky, and N. Rosen, 1935, "Can 
quantum-mechanical description of physical reality be con- 
sidered complete?", Phys. Rev. 47, 777-780. 

Ekert, A.K., 1991, "Quantum cryptography based on Bell's 
theorem", Phys. Rev. Lett. 67, 661-663. 

Ekert, A.K., J.G. Rarity, P.R. Tapster, and CM. Palma, 
1992, "Practical quantum cryptography based on two-photon 
interferomctry" , Phys. Rev. Lett. 69, 1293-1296. 

Ekert, A.K., B. Huttner, 1994, "Eavesdropping Techniques 
in Quantum Cryptosystems" , J. Modern Optics 41, 2455- 
2466. 

Ekert, A.K., 2000, "Coded secrets cracked open". Physics 
World 13, 39-40. 

Elamari, A., H. Zbinden, B. Perny and Ch. Zimmer, 1998, 
"Statistical prediction and experimental verification of con- 
catenations of fibre optic components with polarization de- 
pendent loss", J. Lightwave Techn. 16, 332-339. 

Enzcr, D., P. Hadley, R. Hughes, G. Peterson, and P. 
Kwiat, 2001, private communication. 

Felix, S., A. Stefanov, H. Zbinden and N. Gisin, 2001, 
"Faint laser quantum key distribution: Eavesdropping ex- 
ploiting multiphoton pulses", quant-ph/0102062. 

Fleury, L., J.-M. Segura, G. Zumofen, B. Hecht, and 
U.P. Wild, 2000, "Nonclassical Photon Statistics in Single- 
Molecule Fluorescence at Room Temperature", Phys. Rev. 
Lett. 84, 1148-1151. 

Franson J.D., 1989, "Bell Inequality for Position and 
Time", Phys. Rev. Lett. 62, 2205-2208. 

Franson, J.D., 1992, "Nonlocal cancellation of dispersion" , 
Phys. Rev. A 45, 3126-3132. 

Franson, J.D., and B.C. Jacobs, 1995, "Operational system 
for Quantum cryptography". Elect. Lett. 31, 232-234. 

Freedmann, S.J. and J.F. Clauser, 1972, "Experimental 
test of local hidden variable theories" , Phys. rev. Lett. 28, 
938-941. 

Fry, E.S. and R.C. Thompson, 1976, "Experimental test of 
local hidden variable theories" , Phys. rev. Lett. 37,465-468. 

Fuchs, C.A., and A. Peres, 1996, "Quantum State Distur- 
bance vs. Information Gain: Uncertainty Relations for Quan- 
tum Information", Phys. Rev. A 53, 2038-2045. 

Fuchs, C.A., N. Gisin, R.B. Grifllths, C.-S. Niu, and A. 
Peres, 1997, "Optimal Eavesdropping in Quantum Cryptog- 
raphy. I", Phys. Rev. A 56, 1163-172. 



Gerard, J.-M., B. Sermage, B. Gayral, B. Lcgrand, E. 
Costard, and V. Thierry-Mieg, 1998, "Enhanced Spontaneous 
Emission by Quantum Boxes in a Monolithic Optical Micro- 
cavity", Phys. Rev. Lett., 81, 1110-1113. 

Gerard, J.-M., and B. Gayral, 1999, "Strong Purcell Effect 
for InAs Qantum Boxes in Thrcc-Dimcnsional Solid-State Mi- 
crocavities" , J. Lightwave Technology 17, 2089-2095. 

Gilbert, G., and M. Hamrick, 2000, "Practical Quan- 
tum Cryptography: A Comprehensive Analysis (Part One)", 
MITRE Technical Report (MITRE, McLean USA), quant- 
ph/0009027. 

Gisin, N., 1998, "Quantum cloning without signaling", 
Phys. Lett. A 242, 1-3. 

Gisin, N. et al., 1995, "Definition of Polarization Mode Dis- 
persion and First Results of the COST 241 Round- Robin Mea- 
surements, with the members of the COST 241 group" , JEOS 
Pure & Applied Optics 4, 511-522. 

Gisin, N. and S. Massar, 1997, "Optimal quantum cloning 
machines", Phys. Rev. Lett. 79, 2153-2156. 

Gisin, B. and N. Gisin, 1999, "A local hidden variable 
model of quantum correlation exploiting the detection loop- 
hole", Phys. Lett. A 260, 323-327. 

Gisin, N., and S. Wolf, 1999, "Quantum cryptography on 
noisy channels: quantum versus classical key-agreement pro- 
tocols", Phys. Rev. Lett. 83, 4200-4203. 

Gisin, N., and H. Zbinden, 1999, "Bell inequality and the 
locality loophole: Active versus passive switches" , Phys. Lett. 
A 264, 103-107. 

Gisin, N., and S. Wolf, 2000a, "Linking Classical and Quan- 
tum Key Agreement: Is There "Bound Information"?, Ad- 
vances in cryptology - Proceedings of Crypto 2000, Lecture 
Notes in Computer Science, Vol. 1880, 482-500. 

Gisin, N., R. Renner and S. Wolf, 2000b, "Bound informa- 
tion : the classical analog to bound quantum entanglement, 
Proceedingsof the Third European Congress of Mathematics, 
Barcelona, July 2000. 

Goldenberg, L., and L. Vaidman, 1995, "Quantum Cryp- 
tography Based on Orthogonal States", Phys. Rev. Lett. 75, 
1239-1243. 

Gorman, P.M., P.R. Tapster and J.G. Rarity, 2000, "Secure 
Free-space Key Exchange Over a 1.2 km Range Using Quan- 
tum Cryptography" (DERA Malvern, United Kingdom). 

Haeckcr, W., O. Groezinger, and M.H. Pilkuhn, 1971, "In- 
frared photon counting by Ge avalanche diodes" , Appl. Phys. 
Lett. 19, 113-115. 

Hall, M.J.W., 1995, "Information excusion principle for 
complementary observables" , Phys. Rev. Lett. 74, 3307- 
3310. 

Hariharan, P., M. Roy, P.A. Robinson and O'Byrne J.W., 
1993, "The geometric phase observation at the single photon 
level", J. Modern optics 40, 871-877. 

Hart, A.C., R.C. Huff and K.L. Walker, 1994, "Method of 
making a fiber having low polarization mode dispersion due 
to a permanent spin", U.S. Patent 5,298,047. 

Hildebrand, E., 2001, Ph. D. thesis (Johann- Wolfgang 
Goethe-Universitat, Frankfurt). 

Hillery, M., V. Buzek, and A. Bcrthiaume, 1999, "Quantum 
secret sharing", Phys. Rev. A 59, 1829-1834. 

Hiskett, P. A., G. S. BuUer, A. Y. Loudon, J. M. Smith, I. 
Gontijo, A. C. Walker, P. D. Townsend, and M. J. Robertson, 



47 



2000, "Performance and Design of InGaAs/InP Photodiodcs 
for Single-Photon Counting at 1.55 /im", Appl. Opt. 39, 
6818-6829. 

Hong, C.K. and L. Mandel, 1985, "Theory of parametric 
frequency down conversion of Hght", Phys. Rev. A 31, 2409- 
2418. 

Hong, C.K. and L. Mandel, 1986, "Experimental realiza- 
tion of a localized one-photon state", Phys. Rev. Lett. 56, 
58-60. 

Horodecki, M., R. Horodecki and P. Horodecki, 1996, "Sep- 
arability of Mixed States: Necessary and Sufficient Condi- 
tions", Phys. Lett. A 223, 1-8. 

Hughes, R., G.G. Luther, G.L. Morgan and C. Simmons, 
1996, "Quantum Cryptography over Underground Optical 
Fibers", Lecture Notes in Computer Science 1109, 329-342. 

Hughes, R., W. Buttlcr, P. Kwiat, S. Larnorcaux, G. Mor- 
gan, J. Nordhold, G. Peterson, 2000a, "Free-space quantum 
key distribution in daylight", J. Modern Opt. 47, 549-562. 

Hughes, R., G. Morgan, C. Peterson, 2000b, "Quantum key 
distribution over a 48km optical fibre network", J. Modern 
Opt. 47, 533-547. 

Huttner, B., N. Imoto, N. Gisin, and T. Mor, 1995, "Quan- 
tum Cryptography with Coherent States", Phys. rev. A 51, 
1863-1869. 

Huttner, B., J.D. Gauticr, A. Mullor H. Zbinden, and N. 
Gisin, 1996a, "Unambiguous quantum measurement of non- 
orthogonal states", Phys. Rev. A 54, 3783-3789. 

Huttner, B., N. Imoto, and S.M. Barnett, 1996b, "Short 
distance applications of Quantum cryptography", J. Nonlin- 
ear Opt. Phys. & Materials, 5, 823-832. 

Imamoglu, A., and Y. Yamamoto, 1994, "Turnstile Device 
for Heralded Single Photons : Coulomb Blockade of Electron 
and Hole Tunneling in Quantum Confined p-i-n Hctcrojunc- 
tions", Phys. Rev. Lett. 72, 210-213. 

Inamori, H., L. Rallan, and V. Vedral, 2000, "Security of 
EPR-based Quantum Cryptography against Incoherent Sym- 
metric Attacks", quant-ph/0103058. 

Ingerson, T.E., R.J. Kearney, and R.L. Coulter, 1983, 
"Photon counting with photodiodes" , Applied Optics 22, 
2013-2018. 

Ivanovic, I.D., 1987, "How to differentiate between non- 
orthogonal states", Phys. Lett. A 123, 257-259. 

Jacobs, B., and J. Franson, 1996, "Quantum cryptography 
in free space". Optics Letters 21, 1854-1856. 

Jennewein, T., U. Achleitner, G. Weihs, H. Weinfurter and 
A. Zeilinger, 2000a "A fast and compact quantum random 
number generator". Rev. Sci. Inst. 71, 1675-1680 and 
quantph/9912118. 

Jennewein, T., C. Simon, G. Weihs, H. Weinfurter, and 
A. Zeilinger, 2000b "Quantum Cryptography with Entangled 
Photons", Phys. Rev. Lett. 84, 4729-4732 

Karlsson, A., M. Bouronnanc, G. Ribordy, H. Zbinden, J. 
Brendel, J. Rarity, and P. Tapster, 1999, "A single-photon 
counter for long-haul telecom", IEEE Circuits & Devices 15, 
34-40. 

Kempe, J., Simon Ch., G. Weihs and A. Zeilinger, 2000, 
"Optimal photon cloning", Phys. Rev. A 62, 032302. 

Kim, J., O. Benson, H. Kan, and Y. Yamamoto, 1999, "A 
single-photon turnstile device" , Nature, 397, 500-503. 



Kimble, H. J., M. Dagcnais, and L. Mandel, 1977, "Photon 
antibunching in resonance fluorescence", Phys. Rev. Lett. 
39, 691-694. 

Kitson, S.C., P. Jonsson, J.G. Rarity, and P.R. Tapster, 
1998, "Intensity fluctuation spectroscopy of small numbers of 
dye molecules in a microcavity" , Phys. Rev. A 58, 620-6627. 

Kolmogorow, A.N., 1956, "Foundations of the theory of 
probabilities", Chclsa Pub., New- York. 

Kurtsiefer, Ch., S. Mayer, P. Zarda, and H. Weinfurter, 

2000, "Stable Solid-State Source of Single Photons" , Phys. 
Rev. Lett., 85, 290-293. 

Kurtsiefer, Ch., P. Zarda, S. Mayer, and H. Weinfurter, 

2001, "The breakdown flash of Silicon Avalanche Photodiodes 
- backdoor for eavesdropper attacks?", quant-ph/0104103. 

Kwiat, P.G., A.M. Steinberg, R.Y. Chiao, P.H. Eberhard, 
M.D. Pctroff, 1993, "High-efficiency single-photon detectors" , 
Phys. Rev.A, 48, R867-R870. 

Kwiat, P.G., E. Waks, A.G. White, I. Appelbaum, and P.H. 
Eberhard, 1999, "Ultrabright source of polarization-entangled 
photons", Phys. Rev. A, 60, R773-776. 

Lacaita, A., P.A. Francese, F. Zappa, and S. Cova, 1994, 
"Single-photon detection beyond 1 nm: performance of com- 
ercially available germanium photodiodes". Applied Optics 
33, 6902-6918. 

Lacaita, A., F. Zappa, S. Cova, and P. Lovati, 1996, 
"Single-photon detection beyond 1 /im: performance of com- 
mercially available InGaAs/InP detectors. Appl. Optics 
35(16), 2986-2996. 

Larchuk, T.S., M.V. Teich and B.E.A. Saleh, 1995, "Non- 
local cancellation of dispersive broadening in Mach-Zehnder 
interferometers", Phys. Rev. A 52, 4145-4154. 

Levine, B.F., C.G. Bethea, and J.G. CampbeU, 1985, 
"Room-temperature 1.3-fim optical time domain reflectome- 
tcr using a photon counting InGaAs/InP avalanche detector", 
Appl. Phys. Lettt. 45(4), 333-335. 

Li, M.J., and D.A. Nolan, 1998, "Fiber spin-profile designs 
for producing fibers with low PMD", Optics Lett. 23, 1659- 
1661. 

Lo, H.-K., and H.F. Chau, 1998, "Why Quantum Bit Com- 
mitment And Ideal Quantum Coin Tossing Are Impossible", 
Physica D 120, 177-187. 

Lo, H.-K. and H.F. Chau, 1999, "Unconditional security 
of quantum key distribution over arbitrary long distances" 
Science 283, 2050-2056; also quant-ph/9803006. 

Liitkenhaus, N., 1996, "Security against eavesdropping in 
Quantum cryptography", Phys. Rev. A, 54, 97-111. 

Liitkenhaus, N., 2000, "Security against individual attacks 
for realistic quantum key distribution", Phys. Rev. A, 61, 
052304. 

Maraud, C, and P.D. Townsend, 1995, "Quantum key dis- 
tribution over distances as long as 30 km" , Optics Letters 20, 
1695-1697. 

Martinelli, M., 1992, "Time reversal for the polarization 
state in optical systems", J. Modern Opt. 39, 451-455. 

Martinelli, M., 1989, "A universal compensator for po- 
larization changes induced by birefringence on a retracing 
beam", Opt. Commun. 72, 341-344. 

Maurer, U.M., 1993, "Secret key agreement by public dis- 
cussion from common information" , IEEE Transacions on In- 
formation Theory 39, 733-742. 



48 



Maurer, U.M., and S. Wolf, 1999, "Unconditionnally secure 
key agreement and intrinsic information" , IEEE Transactions 
on Information Theory, 45, 499-514. 

Mayers, D., 1996a, "The Trouble with Quantum Bit Com- 
mitment", quant-ph/9603015. 

Mayers, D., 1996b, "Quantum key distribution and string 
oblivious transfer in noisy channels" , Advances m Cryptology 
— Proceedings of Crypto '96, Springer- Verlag, 343-357. 

Mayers, D., 1997, "Unconditionally secure Q bit commit- 
ment is impossible", Phys. Rev. Lett. 78, 3414-3417. 

Mayers, D., 1998, "Unconditional security in quantum 
cryptography" , Journal for the Association of Computing Ma- 
chinery (to be published); also in quant-ph/9802025. 

Mayers, D., and A. Yao, 1998, "Quantum Cryptography 
with Imperfect Apparatus", Proceedings of the 39th IEEE 
Conference on Foundations of Computer Science. 

Mazurenko, Y., R. Giust, and J. P. Goedgebuer, 1997, 
"Spectral coding for secure optical communications using re- 
fractive index dispersion". Optics Commun. 133, 87-92. 

MeroUa, J-M., Y. Mazurenko, J. P. Goedgebuer, and W.T. 
Rhodes, 1999, "Single- photon interference in sidebands of 
phase-modulated light for Quantum cryptography", Phys. 
Rev. Lett, 82, 1656-1659. 

Michler, P., A. Kiraz, C. Bochcr, W. V. Schoenfeld, P. M. 
Petroff, L. Zhang, E. Hu, and A. Imamoglu, 2000, "A quan- 
tum dot single photon turnstile device". Science (in press). 

Milonni, P.W. and Hardies, M.L., 1982, "Photons cannot 
always be replicated", Phys. Lett. A 92, 321-322. 

Molotkov, S.N., 1998, "Quantum crypto using photon fre- 
quency states (example of a possible rclaization)" , J. Exp. & 
Theor. Physics 87, 288-293. 

MuUer, A., J. Breguet and N. Gisin, 1993, "Experimental 
demonstration of quantum cryptography using polarized pho- 
tons in optical fiber over more than 1 km", Europhysics Lett. 
23, 383-388. 

MuUer, A., H. Zbinden and N. Gisin, 1995, "Underwater 
quantum coding", Nature 378, 449-449. 

MuUer, A., H. Zbinden and N. Gisin, 1996, "Quantum cryp- 
tography over 23 km in installed under-lake telecom fibre", 
Europhysics Lett. 33, 335-339 

MuUer, A., T. Herzog, B. Huttner, W. Tittel, H. Zbinden, 
and N. Gisin, 1997, " 'Plug and play' systems for quantum 
cryptography". Applied Phys. Lett. 70, 793-795. 

Naik, D., C. Peterson, A. White, A. Berglund, and 
P. Kwiat, 2000, "Entangled State Quantum Cryptography: 
Eavesdropping on the Ekert Protocol", Phys. Rev. Lett. 84, 
4733-4736 

Neumann, E.-G., 1988, "Single-mode fibers: fundamen- 
tals". Springer series in Optical Sciences, vol. 57. 

Niu, C. S. and R. B. Griffiths, 1999, "Two-qubit copying 
machine for economical quantum eavesdropping" Phys. Rev. 
A 60, 2764-2776. 

Nogues, G., A. Rauschenbeutel, S. Osnaghi, M. Brune, 
J.M. Raimond and S. Haroche, 1999, "Seeing a single pho- 
ton without destroying it", Nature 400, 239-242. 

Owens, P.C.M., J.G. Rarity, P.R. Tapster, D. Knight, 
and P.D. Townsend, 1994, "Photon counting with passively 
quenched germanium avalanche". Applied Optics 33, 6895- 
6901. 



Penrose, R., 1994, "Shadows of the mind", Oxford Univer- 
sity Press. 

Peres, A., 1988, "How to differentiate between two non- 
orthogonal states", Phys. Lett. A 128, 19. 

Peres, A., 1996, "Separability criteria for density matrices", 
Phys. Rev. Lett. 76, 1413-1415. 

Peres, A., 1997, Quantum Theory: Concepts and Methods, 
Kluwer, Dordrecht. 

Phoenix, S.J.D., S.M. Barnett, P.D. Townsend, and K.J. 
Blow, 1995, "Multi-user Quantum cryptography on optical 
networks", J. Modern optics, 6, 1155-1163. 

Piron, C, 1990, "Mecanique quantique". Presses Polytech- 
niques et Universitaires Romandes, Lausanne, Switzerland, 
pp 66-67. 

Pitowsky, I., 1989, "Quantum probability, quantum logic". 
Lecture Notes in Physics 321, Heidelberg, Springer. 

Rarity, J. G. and P.R. Tapster, 1988, "Nonclassical ef- 
fects in parametric downconversion" , in "Photons & Quan- 
tum Fluctuations", eds Pike & Walther, Adam Hilgcr. 

Rarity, J. G., P.C.M. Owens and P.R. Tapster, 1994, 
"Quantum random-number generation and key sharing". 
Journal of Modern Optics 41, 2435-2444. 

Rarity, J. G., T. E. WaU, K. D. Ridley, P. C. M. Owens, 
and P. R. Tapster, 2000, "Single-Photon Counting for the 
1300-1600-nm Range by Use of Peltier-Cooled and Passively 
Quenched InGaAs Avalanche Photodiodes" , Appl. Opt. 39, 
6746-6753. 

Ribordy, G., J. Brendel, J.D. Gautier, N. Gisin, and H. 

Zbinden, 2001, "Long distance entanglement based quantum 
key distribution", Phys. Rev. A 63, 012309. 

Ribordy, G., J.-D. Gautier, N. Gisin, O. Guinnard, H. 
Zbinden, 2000, "Fast and user-friendly quantum key distri- 
bution", J. Modern Opt., 47, 517-531 

Ribordy, G., J.D. Gautier, H. Zbinden and N. Gisin, 1998, 
"Performance of InGaAsInP avalanche photodiodes £is gated- 
mode photon counters" , Applied Optics 37, 2272-2277. 

Rivest, R.L., Shamir A. and Adleman L.M., 1978, "A 
Method of Obtaining Digital Signatures and Public-Key 
Cryptosystoms" Cornmumcations of the ACM 21, 120-126. 

Santori, C, M. Pelton, G. Solomon, Y. Dale, and Y. Ya- 
mamoto, 2000, "Triggered single photons from a quantum 
dot" (Stanford University, Palo Alto, California). 

Sharmon, C.E., 1949, "Communication theory of secrecy 
systems". Bell System Technical Journal 28, 656-715. 

Shih, Y.H. and CO. Alley, 1988, "New type of Einstein- 
Podolsky-Rosen-Bohm Experiment Using Pairs of Light 
Quanta Produced by Optical Parametric Down Conversion", 
Phys. Rev. Lett. 61, 2921-2924. 

Shor, P.W., 1994, "Algoritms for quantum computation: 
discrete logaxithms and factoring". Proceedings of the 35th 
Symposium on Foundations of Computer Science, Los Alami- 
tos, edited by Shafi Goldwasser (IEEE Computer Society 
Press), 124-134. 

Shor, P.W., and J. Preskill, 2000, "Simple proof of security 
of the BB84 Quantum key distribution protocol" , Phys. Rev. 
Lett. 85, 441-444. 

Simon, C, G. Wcihs, and A. Zoilingcr, 1999, "Quantum 
Cloning and SignaUng", Acta Phys. Slov. 49, 755-760. 

Simon, C, G. Weihs, A. Zeilinger, 2000, "Optimal Quan- 
tum Cloning via Stimulated Emission" , Phys. Rev. Lett. 84, 



49 



2993-2996. 

Singh, S., 1999, "The code book: The Science of Secrecy 
from Ancient Egypt to Quantum Cryptography" (Fourh Es- 
tate, London), see Ekert 2000 for a review. 

Snyder, A.W., 1983, "Optical waveguide theory". Chap- 
man & Hall, London. 

Spinelh, A., L.M. Davis, H. Dautcd, 1996, "Actively 
quenched single-photon avalanche diode for high repetition 
rate time-gated photon counting", Rev. Sci. Instrum 67, 
55-61. 

StaUings, W., 1999, "Cryptography and network security: 
principles and practices" , (Prentice Hall, Upper Saddle River, 
New Jersey, United States). 

Stefanov, A., O. Guinnard, L. Guinnard, H. Zbinden and N. 
Gisin, 2000, "Optical Quantum Random Number Generator" , 
J. Modern Optics 47, 595-598. 

Steinberg, A.M., R Kwiat and R.Y. Chiao, 1992a, "Dis- 
persion cancellation and high-resolution time measurements 
in a fourth-order optical interferometer", Phys. Rev. A 45, 
6659-6665. 

Steinberg, A.M., P. Kwiat and R.Y. Chiao, 1992b, "Dis- 
persion Cancellation in a Measurement of the Single-Photon 
Propagation Velocity in Glass", Phys. Rev. Lett. 68, 2421- 
2424. 

Stucki, D., G. Ribordy, A. Stefanov, H. Zbinden, J. Rarity 
and T. Wall, 2001, "Photon counting for quantum key dis- 
tribution with Peltier cooled InGaAs/InP APD's", preprint. 
University of Geneva, Geneva. 

Sun, P.C., Y. Mazurcnko, and Y. Fainman, 1995, "Long- 
distance frequency-division interferometer for communication 
and quantum cryptography". Opt. Lett. 20, 1062-1063. 

TanziUi, S., H. De Riedmatten, W. Tittel, H. Zbinden, P. 
Baldi, M. De Micheh, D.B. Ostrowsky, and N. Gisin, 2001, 
"Highly efficient photon-pair source using a Periodically Poled 
Lithium Niobate waveguide", Electr. Lett. 37, 26-28. 

Tapster, P.R., J.G. Rarity, and P.C.M. Owens, 1994, "Vio- 
lation of Bell's Inequality over 4 km of Optical Fiber" , Phys. 
Rev. Lett. 73, 1923-1926. 

Thomas, G.A., B.I. Shraiman, P.P. Glodis and M.J. 
Stephen, 2000, "Towaxds the clarity limit in optical fiber". 
Nature 404, 262-264. 

Tittel, W., J. Brcndcl, H. Zbinden, and N. Gisin, 1998, 
"Violation of Bell inequalities by photons more than 10 km 
apart", Phys. Rev. Lett. 81, 3563-3566. 

Tittel, W., J. Brendel, H. Zbinden and N. Gisin, 1999, 
"Long-distance Bell-type tests using energy-time entangled 
photons", Phys. Rev. A 59, 4150-4163. 

Tittel, W., J. Brendel, H. Zbinden, and N. Gisin, 
2000, "Quantum Cryptography Using Entangled Photons in 
Energy-Time Bell States", Phys. Rev. Lett. 84, 4737-4740 

Tittel, W., H. Zbinden, and N. Gisin, 2001, "Experimental 
demonstration of quantum secret sharing" , Phys. Rev. A 63, 
042301. 

Tomita, A. and R. Y. Chiao, 1986, "Observation of Berry's 
topological phase by use of an optical fiber" , Phys. Rev. Lett. 
57, 937-940. 

Townscnd, P., 1994, "Secure key distribution system based 
on Quantum cryptography". Elect. Lett. 30, 809-811. 

Townsend, P., 1997a, "Simultaneous Quantum crypto- 
graphic key distribution and conventional data transmission 



over installed fibre using WDM", Elect. Lett. 33, 188-190. 

Townsend, P., 1997b, "Quantum cryptography on mul- 
tiuser optical fiber networks". Nature 385, 47-49. 

Townsend, P., 1998a, "Experimental Investigation of the 
Performance Limits for First Telecommunications- Window 
Quantum Cryptography Systems", IEEE Photonics Tech. 
Lett. 10, 1048-1050. 

Townsend, P., 1998b, "Quantum Cryptography on Optical 
Fiber Networks", Opt. Fiber Tech. 4, 345-370. 

Townsend, P., J.G. Rarity, andP.R. Tapster, 1993a, "Single 
photon interference in a 10 km long optical fiber interferom- 
eter". Electron. Lett. 29, 634-639. 

Townsend, P., J. Rarity, and P. Tapster, 1993b, "Enhanced 
single photon fringe visibility in a lOkm-long prototype quan- 
tum cryptography channel" , Electron. Lett. 29, 1291-1293. 

Townsend, P.D., S.J.D. Phoenix, K.J. Blow, and S.M. Bar- 
nett, 1994, "Design of QC systems for passive optical net- 
works". Elect. Lett, 30, pp. 1875-1876. 

Vcrnam, G., 1926, "Cipher printing telegraph systems for 
secret wire and radio telegraphic communications", J. Am. 
Institute of Electrical Engineers Vol. XLV, 109-115. 

Vinegoni, C, M. WegmuUer and N. Gisin, 2000a, "Determi- 
nation of nonlinear coefficient n2/Aeff using self-aligned inter- 
ferometer and Faraday mirror", Electron. Lett. 36, 886-888. 

Vinegoni, C, M. WegmuUer, B. Huttner and N. Gisin, 
2000b, "Measurement of nonlinear polarization rotation in a 
highly birefringent optical fiber using a Faraday mirror", J. 
of Optics A 2, 314-318. 

Walls, D.F. and G.J. Milburn, 1995, "Quantum optics". 
Springer- verlag. 

Weihs, G., T. Jermewcin, C. Simon, H. Wcinfurter, and A. 
Zeilinger, 1998, "Violation of Bell's Inequality under Strict 
Einstein Locality Conditions", Phys. Rev. Lett. 81, 5039- 
5043. 

Wiesner, S., 1983, "Conjugate coding", Sigact news, 15:1, 
78-88. 

Wigner, E.P., 1961, "The probability of the existence of a 
self-reproducing unit", in "The logic of personal knowledge" 
Essays presented to Michael Polanyi in his Seventieth birth- 
day, 11 March 1961 Routledge & Kegan Paul, London, pp 
231-238. 

Woofers, W. K. and Zurck, W.H., 1982, "A single quanta 
cannot be cloned'", Nature 299, 802-803. 

Yuen, H.P., 1997, "Quantum amplifiers. Quantum duplica- 
tors and Quantum cryptography" , Quantum & Semiclassical 
optics, 8, p. 939. 

Zappa, F., A. Lacaita, S. Cova, and P. Webb, 1994, 
"Nanosecond single-photon timing with InGaAs/InP photo- 
diodes". Opt. Lett. 19, 846-848. 

Zbinden, H., J.-D. Gautier, N. Gisin, B. Huttner, A. 
MuUer, and W. Tittel, 1997, "Interferometry with Faraday 
mirrors for quantum cryptography". Electron. Lett. 33, 586- 
588. 

Zeilinger, A., 1999, "Experiment and the foundations of 
quantum physics". Rev. Mod. Phys. 71, S288-S297. 

Zissis, G., and A. Larocca, 1978, "Optical Radiators and 
Sources", Handbook of Optics, edited by W. G. Driscoll 
(McGraw-Hill, New York), Sec. 3. 

Zukowski, M., A. ZeiUnger, M.A. Home and A. Ekert, 1993, 
" 'Event-ready-detectors' Bell experiment via entanglement 



50 



swapping", Phys. Rev. Lett. 71, 4287-4290. 

Zukowski, M., A. Zeilinger, M. Horne, and H. Weinfurter, 
1998, "Quest for GHZ states", Acta Phys. Pol. A 93, 187- 
195. 



FIGURES 



/ 1 




\o 

FIG. 1. Implementation of the BB84 protocol. The four 
states lie on the equator of the Poincare sphere. 




FIG. 2. Poincare sphere with a representation of six states 
that can be used to implement the generalization of the BB84 



Alice Bob 




FIG. 3. EPR protocol, with the source and a Poincare rep- 
resentation of the four possible states measured independently 
by Alice and Bob. 



51 



Alice 



Bob 



t 

EPR^ 

BB84 
protocol 



e 
t 

® 

Test of Bell 
inequality 



t 

Ekert 
protocol 



FIG. 4. Illustration of protocols exploiting EPR quantum 
systems. To implement the BB84 quantum cryptographic 
protocol, Alice and Bob use the same bases to prepare and 
measure their particles. A representation of their states on 
the Poincare sphere is shown. A similar setup, but with Bob's 
bases rotated by 45° , can be used to test the violation of Bell 
inequality. Finally, in the Ekert protocol, Alice and Bob may 
use the violation of Bell inequality to test for eavesdropping. 



output 1 output 2 



coupler 




FIG. 5. Photo of our entangled photon-pair source as used 
in the first long-distance test of Bell inequalities (Tittel et 
al. 1998). Note that the whole source fits in a box of only 
40 X 45 X 15cm'' size, and that neither special power supply 
nor water cooling is necessary. 



s 



\ ' 1 ' 1 


1 1 1 1 1 


1 ' /_ 


i Rayleigh ^ 
backscattering 


OH absorption 


/ - 


UV absorptiaa. 

, 1 \ , 1 


1 , 1 


infrared 
/ absorption 



0.6 0.8 1.0 1.2 1.4 1.6 1.8 

Wavelength [|im] 

FIG. 6. Transmission losses versus wavelength in optical 
fibers. Electronic transitions in Si02 lead to absorption at 
lower wavelengths, excitation of vibrational modes to losses 
at higher wavelength. Superposed is the absorption due to 
Rayleigh backscattering and to transitions in OH groups. 
Modern telecommunication is based on wavelength around 
1.3 fim (second telecommunication window) and around 1.5 
/im (third telecommunication window). 



1280 



1295 



wavelength [nm] 

1310 



1325 



1340 



500 



400 ■■ 



— 300 



>. 
ra 
<u 
■a 
a. 

3 
O 





1 — 




— 7~ 




-•-signal 








idler 




Wo / / 












\ 





- t. 



2.34 2.315 2.29 2.265 

frequency [lO^* Hz] 



2.24 



FIG. 7. Illustration of cancellation of chromatic dispersion 
effects in the fibers connecting an entangled-particle source 
and two detectors. The figure shows differential group delay 
(DGD) curves for two slightly different, approximately 10 km 
long fibers. Using frequency correlated photons with central 
frequency uio - determined by the properties of the fibers -, 
the difference of the propagation times t2 — ti between signal 
(at a;sl,tJs2) and idler photon (at ujil,uii2) is the same for 
all cjsyiiJi- Note that this cancellation scheme is not restricted 
to signal and idler photons at nearly equal wavelengths. It 
applies also to asymmetrical setups where the signal photon 
(generating the trigger to indicate the presence of the idler 
photon) is at a short wavelength of around 800 nm and travels 
only a short distance. Using a fiber with appropriate zero 
dispersion wavelength Aq, it is still possible to achieve equal 
DGD with respect to the energy-correlated idler photon at 
telecommunication wavelength, sent through a long fiber. 



52 




0.70 0.75 0.80 0.85 0.90 0.95 1.00 

Wavelength (|im) 

FIG. 8. Transmission losses in free space as calculated us- 
ing the LOWTRAN code for earth to space transmission at 
the elevation and location of Los Alamos, USA. Note that 
there is a low loss window at around 770 nm - a wavelength 
where high efficiency Silicon APD's can be used for single 
photon detection (see also Fig. ^ and compare to Fig. 



FIG. 10. Normalized net key creation rate p„et as a func- 
tion of the distance in optical fibers. For n = 1, Alice uses 
a perfect single photon source. For n > 1, the link is di- 
vided into n equal length sections and n/2 2-photon sources 
are distributed between Alice and Bob. Parameters: detec- 
tion efficiency r) = 10%, dark count probability Pdark ~ 10~*, 
fiber attenuation a = 0.25 dB/km. 




40 60 80 
Distance [km] 



120 



1E-13 





1E-14 






X 




1, 


1E-15 


0. 




UJ 




z 


1E-16 



1E-17 





InGaAs APD 
,150 K 

. ll 


\ Si APD / 


Ge APD 
77 K 



400 600 800 1000 1200 1400 1600 1800 
Wavelength [nm] 



FIG. 9. Noise equivalent power as a function of wavelength 
for Silicon, Germanium, and InGaAs/InP APD's. 



FIG. 11. Bit rate after error correction and privacy ampli- 
fication vs. fiber length. The chosen parameters are: pulse 
rates 10 Mhz for faint laser pulses (/x = 0.1) and 1 MHz for the 
case of ideal single photons (1550 nm "single"); losses 2, 0.35 
and 0.25 dB/km, detector efficiencies 50%, 20% and 10%, and 



dark count probabilities 10 



10" 



10"^ for 800nm, 1300nm 



and 1550 nm respectively. Losses at Bob and QBERopt are 
neglected. 



Alice 



Bob 



LD 1 



LD2 



BS 



LD3 



LD4 



BS 



Basis 1 



APD 



Quantum PBS 
Channel 




APD 

Waveplates Basis 2 




25 50 75 IOC 125 150 175 200 
Distance [l(m] 



FIG. 12. Typical system for quantum cryptography using 
polarization coding (LD: laser diode, BS: beamsplitter, F: 
neutral density ffiter, PBS: polarizing beam splitter, A/2: half 
waveplate, APD: avalanche photodiode). 



53 




FIG. 13. Geneva and Lake Geneva. The Swisscom optical 
fiber cable used for quantum cryptography experiments runs 
under the lake between the town of Nyon, about 23 km north 
of Geneva, and the centre of the city. 




Alice 



Bob 




0" 

APD 

"1" 



FIG. 14. Conceptual interferometric set-up for quantum 
cryptography using an optical fiber Mach-Zehnder interferom- 
eter (LD: laser diode, PM: phase modulator, APD: avalanche 
photodiode). 




FIG. 15. Poincare sphere representation of two-levels quan- 
tum states generated by two-paths interferometers. The 
states generated by an interferometer where the first coupler 
is replaced by a switch correspond to the poles. Those gener- 
ated with a symetrical beamsplitter are on the equator. The 
azimuth indicates the phase between the two paths. 



Alice 






/ W \ 












APD 



FIG. 16. Double Mach-Zehnder implementation of an in- 
terferometric system for quantum cryptography (LD: laser 
diode, PM: phase modulator, APD: avalanche photodiode). 
The inset represents the temporal count distribution recorded 
as a function of the time passed since the emission of the pulse 
by Alice. Interference is observed in the central peak. 



Faraday Rotator (1st pass) 
Optical fiber 



Input State 




Mirror reflection 

Output State 



Optical fiber 
(return) 



Faraday Rotator (2nd pass) 



FIG. 17. Evolution of the polarization state of a light pulse 
represented on the Poincare sphere over a round trip propa- 
gation along an optical fiber terminated by a Faraday mirror. 



Alice 



Quantum Channel 




Long arm 




Bob 


?^ 


PMb 




V APD 








^„ Short am 
PBS 


1* 



FM 



FIG. 18. Self-aligned "Plug & Play" system (LD: laser 
diode, APD: avalanche photodiode, C^: fiber coupler, PM^: 
phase modulator, PBS: polarizing beamsplitter, DL: optical 
delay line, FM: Faraday mirror. Da: classical detector). 



54 





LD - A - 


PMa- 


Alice 


RFOa- 



Quantum 
Channel 

_Q_ 



Frequency 
locking 



APD 



Or 



RFOp 



Bob 



FIG. 19. Implementation ol sideband modulation (LD: 
laser diode, A: attenuator, PM^: optical phase modulator, 
electronic phase controller, RFOfc: radio frequency oscil- 
lator, FP: Fabry-Perot filter, APD; avalanche photodiode). 




FIG. 20. Multi-users implementation of quantum cryptog- 
raphy with one Alice connected to three Bobs by optical 
fibers. The photons sent by Alice randomly choose to go to 
one or the other Bob at a coupler. 




Quantum 
Channels 

FIG. 21. Typical system for quantum cryptography ex- 
ploiting photon pairs entangled in polarization (PR: active 
polarization rotator, PBS: polarizing beamsplitter, APD: 
avalanche photodiode). 



> i- 



4- 




pcrfcci con-clarion 

1^ 



FIG. 22. Principle of phase coding quantum cryptography 
using energy-time entangled photons pairs. 




FIG. 23. System for phase-coding entanglement based 
quantum cryptography (APD: avalanche photodiode). The 
photons choose their bases randomly at Alice and Bob's cou- 
plers. 




FIG. 24. Quantum cryptography system exploiting pho- 
tons entangled in energy-time and active basis choice. Note 
the similarity with the faint laser double Mach-Zehnder im- 
plementation depicted in Fig. |l^. 







|Laser |- 


810 nm 




m 1 



rv ^550 r 



Nd:YAG 
532 nm \hH- 



Classical channel 
(1560 nm) 



8.5 km 



Quantum channel 
(DS Fiber) 



rr n Classical 
"T^^ Detector 



Bob 



Interferometer 



FIG. 25. Schematic diagram of the first system designed 
and optimized for long distance quantum cryptography and 
exploiting phase coding of entangled photons. 



|i>p,|sX , l'>pJ'>/ 



|.<>p,|/:^,-|/>p.k>B 




beam'SpUtter 



Alice 



Bob 



FIG. 26. Schematics of quantum cryptography using en- 
tangled photons phase-time coding. 



55 




FIG. 27. Poincare representation of the BB84 states and 
the intermediate basis, also known as the Breidbart basis, 
that can be used by Eve. 



Alice 




Eve 



u 



Bob 




perturbation 



information 



FIG. 28. Eavesdropping on a quantum channel. Eve ex- 
tracts information out of the quantum channel between Alice 
and Bob at the cost of introducing noise into that channel. 




0.0 0.1 £ 0.2 IRj 0.3 IR^ 0.4 0.5 

° Quantum bit error rate (QBER) 

FIG. 30. Eve and Bob information versus the QBER, here 
plotted for incoherent eavesdropping on the 4-state protocol. 
For QBERs below QBERo, Bob has more information than 
Eve and secret-key agreement can be achieved using classical 
error correction and privacy amplification. These can, in prin- 
ciple, be implemented using only 1-way communication. The 
secret-key rate can be as large as the information differences. 
For QBERs above QBERo (= 2?o), Bob has a disadvantage 
with respect to Eve. Nevertheless, Alice and Bob can apply 
quantum privacy amplification up to the QBER correspond- 
ing to the intercept-resend eavesdropping strategies, IR4 and 
IRe for the 4-state and 6-state protocols, respectively. Alter- 
natively, they can apply a classical protocol called advantage 
distillation which is effective precisely up to the same maxi- 
mal QBER IR4 and IRg. Both the quantum and the classical 
protocols require then 2-way communication. Note that for 
the eavesdropping strategy optimal from Eve' Shannon point 
of view on the 4-state protocol, QBERo correspond precisely 
to the noise threshold above which a Bell inequality can no 
longer be violated. 




FIG. 29. Poincare representation of the BB84 states in the 
event of a symmetrical attack. The state received by Bob after 
the interaction of Eve's probe is related to the one sent by 
Alice by a simple shrinking factor. When the unitary operator 
U entangles the qubit and Eve's probe, Bob's state (eq. ^ ) 
is mixed and is represented by a point inside the Poincare 
sphere. 



56 



T3 

U 

-a 



0- 



a) sifted 
key 



B 



0- 

b) error 
correction 



c) privacy 
amplification 



B=l 



E=0 
d) secret 
key 



FIG. 31. Intuitive illustration of theorem 1. The initial 
situation is depicted in a). During the 1-way public discussion 
phase of the protocol Eve receives as much information as 
Bob, the initial information difference 5 thus remains. After 
error correction, Bob's information equals 1, as illustrated on 

b) . After privacy amplification Eve's information is zero. In 

c) Bob has replaced all bits to be disregarded by random bits. 
Hence the key has still the original length, but his information 
has decreased. Finally, removing the random bits, the key is 
shortened to the initial information difference, see d). Bob 
has full information on this final key, while Eve has none. 




FIG. 32. Realistic beamsplitter attack. Eve stops all 
pulses. The two photon pulses have a 50% probability to 
be analyzed by the same analyzer. If this analyzer is compat- 
ible with the state prepared by Alice, then both photon are 
detected at the same outcome; if not there is a 50% chance 
that they are detected at the same outcome. Hence, there 
is a probability of 3/8 that Eve detects both photons at the 
same outcome. In such a case, and only in such a case, she 
resends a photon to Bob. In 2/3 of these cases she introduces 
no errors since she identified the correct state and gets full 
information; in the remaining cases she has a probability 1/2 
to introduce an error and gains no information. The total 
QBER is thus 1/6 and Eve's information gain 2/3. 



57 



